From gjbroom@kinsella.csc.UVic.CA Thu Jan 25 16:27:47 1996 Received: from kinsella.csc.UVic.CA (kinsella.csc.UVic.CA [142.104.100.119]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA20928 for ; Thu, 25 Jan 1996 16:27:44 -0800 (PST) Received: (from gjbroom@localhost) by kinsella.csc.UVic.CA (8.6.12/8.6.12) id QAA21837; Thu, 25 Jan 1996 16:27:46 -0800 Message-Id: <199601260027.QAA21837@kinsella.csc.UVic.CA> Date: Thu, 25 Jan 1996 16:27:46 -0800 From: Gord Broom Reply-To: gjbroom@kinsella.csc.UVic.CA To: FreeBSD-gnats-submit@freebsd.org Subject: inetd.conf should comment out k-services if no Kerberos present X-Send-Pr-Version: 3.2 >Number: 972 >Category: conf >Synopsis: inetd.conf should comment out k-services if no Kerberos present >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: support >Submitter-Id: current-users >Arrival-Date: Thu Jan 25 16:30:01 PST 1996 >Closed-Date: Wed Jan 8 13:02:38 PST 1997 >Last-Modified: Wed Jan 8 13:04:43 PST 1997 >Originator: Gord Broom Research Programmer, University of Victoria >Release: FreeBSD 2.1-STABLE i386 >Organization: Gord Broom Programmer/Analyst Department of Computer Science, University of Victoria, CANADA "Sure, alcohol kills brain cells. But only the weak ones." >Environment: Any CD-ROM installation. >Description: By default, the CD-ROM doesn't contain any DES or kerberos code. People in the USA and Canada can legally FTP the missing bits from ftp.freebsd.org and install them. If you install kerb on one machine but not another, remote logins to the unkerb-ed machine will fail because inetd.conf thinks that kerberos is there. >How-To-Repeat: Add the kerberos package to one system but not another, try to rlogin from the kerberized one. >Fix: Comment out the offending lines from inetd.conf Here's a patch to do just that: *** inetd.conf Thu Jan 25 16:20:08 1996 --- inetd.conf.new Thu Jan 25 16:20:36 1996 *************** *** 27,36 **** #daytime dgram udp wait root internal #time dgram udp wait root internal # Kerberos authenticated services ! klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k ! eklogin stream tcp nowait root /usr/libexec/rlogind rlogind -k -x ! kshell stream tcp nowait root /usr/libexec/rshd rshd -k ! rkinit stream tcp nowait root /usr/libexec/rkinitd rkinitd # Services run ONLY on the Kerberos server # Neither of these work in FreeBSD 1.x. #krbupdate stream tcp nowait root /usr/libexec/registerd registerd --- 27,36 ---- #daytime dgram udp wait root internal #time dgram udp wait root internal # Kerberos authenticated services ! #klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k ! #eklogin stream tcp nowait root /usr/libexec/rlogind rlogind -k -x ! #kshell stream tcp nowait root /usr/libexec/rshd rshd -k ! #rkinit stream tcp nowait root /usr/libexec/rkinitd rkinitd # Services run ONLY on the Kerberos server # Neither of these work in FreeBSD 1.x. #krbupdate stream tcp nowait root /usr/libexec/registerd registerd >Release-Note: >Audit-Trail: From: J Wunsch To: gjbroom@kinsella.csc.UVic.CA Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: conf/972: inetd.conf should comment out k-services if no Kerberos present Date: Fri, 26 Jan 1996 09:17:39 +0100 (MET) As Gord Broom wrote: > > By default, the CD-ROM doesn't contain any DES or kerberos code. > People in the USA and Canada can legally FTP the missing bits from > ftp.freebsd.org and install them. If you install kerb on one machine > but not another, remote logins to the unkerb-ed machine will fail because > inetd.conf thinks that kerberos is there. > >Fix: > > Comment out the offending lines from inetd.conf Hmm, the problem is that this f*** US policy causes us already a bunch of grey hears while making a release. Now, one of the distributions needs an inetd.conf with it and one needs an inetd.conf without it. Ick. :-(( -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) State-Changed-From-To: open->feedback State-Changed-By: scrappy State-Changed-When: Tue Oct 22 14:36:01 PDT 1996 State-Changed-Why: Does anyone have an opinion on this one? Basically, since Kerberos isn't distributed on the CD, Originator suggests commenting out the appropriate entries in /etc/inetd.conf Are there any reasons, security or otherwise, where leaving them enabled is a bad thing? From: Garrett Wollman To: "Marc G. Fournier" Cc: freebsd-gnats-submit@freefall.freebsd.org Subject: Re: conf/972 Date: Wed, 23 Oct 1996 12:20:00 -0400 < said: > Basically, since Kerberos isn't distributed on the CD, Originator > suggests commenting out the appropriate entries in /etc/inetd.conf > Are there any reasons, security or otherwise, where leaving them > enabled is a bad thing? Yes. If they are enabled, than a Kerberized host attempting to talk to a non-Kerberized host will see `krlogin' succeed and then immediately drop, rather than failing (the correct behavior). Thus, the automatic fallback does not work in this case. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick State-Changed-From-To: feedback->analyzed State-Changed-By: wollman State-Changed-When: Tue Dec 17 08:24:54 PST 1996 State-Changed-Why: I think that this may have been fixed, but I'm not sure. State-Changed-From-To: analyzed->closed State-Changed-By: max State-Changed-When: Wed Jan 8 13:02:38 PST 1997 State-Changed-Why: This change has been applied in inetd.conf Rev. 1.24. >Unformatted: