ports/160500: [patch] security/krb5 take upstream patch to fix kadmin
Ben Kaduk
kaduk at mit.edu
Tue Sep 6 05:10:02 UTC 2011
>Number: 160500
>Category: ports
>Synopsis: [patch] security/krb5 take upstream patch to fix kadmin
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 06 05:10:01 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Ben Kaduk
>Release: 9-current
>Organization:
MIT SIPB
>Environment:
FreeBSD ambage.mit.edu 9.0-CURRENT FreeBSD 9.0-CURRENT #29: Thu May 12 23:38:56 EDT 2011 kaduk at hysteresis.mit.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
I recently needed to bump the kvno of a keytab at a site with a MIT kerberos deployment (i.e. ATHENA.MIT.EDU). The pain of running MIT krb5 on a system with heimdal in base aside, once I set up a jail built with WITHOUT_KERBEROS=yes and installed krb5, I was *still* unable to use k5srvutil (well, kadmin) to update the key (or, in fact, do anything with kadmin):
# KRB5_TRACE=/dev/stdout kadmin -p zonetest
Authenticating as principal zonetest with password.
Password for zonetest at ATHENA.MIT.EDU: [inputs password]
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
On the MIT Zephyr IM system, Kerberos developer Greg Hudson suggested that I needed a patch which is due to come out in 1.9.2,
https://github.com/krb5/krb5-anonsvn/commit/043533c2f13d2bc69316fdf5ef80f0db581df40f
Getting an actual patch file from the github interface seems difficult, but I applied the patch ~by-hand to produce the attached.
Please consider including the patch in our port pending the 1.9.2 release.
>How-To-Repeat:
Try to use kadmin.
>Fix:
Patch attached with submission follows:
--- lib/rpc/clnt_tcp.c.orig 2011-09-06 02:05:14.000000000 +0000
+++ lib/rpc/clnt_tcp.c 2011-09-06 02:10:30.000000000 +0000
@@ -187,9 +187,16 @@
ct->ct_sock = *sockp;
ct->ct_wait.tv_usec = 0;
ct->ct_waitset = FALSE;
- if (raddr == NULL)
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+ if (raddr == NULL) {
+ /* Get the remote address from the socket, if it's IPv4. */
+ struct sockaddr_in sin;
+ socklen_t len = sizeof(sin);
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
+ ct->ct_addr = sin;
else
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+ } else
ct->ct_addr = *raddr;
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list