Dear all, an hour ago a pushed a very important set of changes that alters telnet and telnetd, client and server, when they are using Kerberos authentication in the form of libshishi. I want to describe the changes for our common understanding.
* The ability to authorize access using "$HOME/.k5login" is implemented in telnetd, rshd, and rlogind, for future versions of libshishi, i.e., version at least 1.0.2. This condition is due to the broken support in present libshishi-1.0.1. Remember also that "$HOME/.k5login" consists of such qualified name strings, never a naked principal's name. * The client side is acknowledging authentication with his qualified principal name, like "[email protected]", not only printing his realm as was done previously. * There was a call to shishi_done() executed from within auth_finished() until yesterday. That lead to the premature release of the Shishi handle, and sometimes segfaults. I have now inserted one manual shishi_done() that seems to take care of the client. The server, however, will never execute shishi_done() with the present code. I am not sure whether we should accept this, and I am not sure where the earliest possible location for the call would be. It is certainly to early to place the call within krb5shishi_is_auth(), as was previously the case. Help in examining and testing this is welcome. Simon has informed me that he has applied my patches to libshishi for mending "k5login" authentication, so a build of libshishi from the development head, and downgrading to shishi_check_version("1.0.1") in libinetutils/shishi.c and libtelnet/shishi.h will allow testing our servers in a live setting. Best regards for now, Mats E A
