pre-release comments

Date: Sun, 26 Nov 1995 15:30:06 -0500
From: Sam Hartman < hartmans@MIT.EDU>
To: krbdev@MIT.EDU

	As we approach the release of beta-6, it becomes apparent that
I will not have time to make a few bug fixes and improvements before
the end of classes.  I was talking to Chris and he suggested checking
these into TODO (or, at least, the bug fixes); I will do that, but I
thought I would send a note here as well.

	In particular, I am aware of two bugs with libpty and one but
with rlogind that I will not be able to fix until Christmas or so:

* Utmp and wtmp handling is fairly broken on SunOS and Ultrix.  The
libpty code assumes that ttyslot() does something reasonable when it
is cleaning out a utmp/wtmp entry on logout.  This is incorrect;
ttyslot() depends on being able to find the tty on stdin or stdout,
and neither file descriptor is open at that point; the proper solution
is probably to search through /etc/utmp for the line we have.  I
cannot remember the result of the first call to ttyslot() because the
initial utmp stuff is often done in the child process, but the parent
always does the cleanup.  It is just a matter of redesigning
interfaces to pty_update_utmp and implementing the fix; the problem is
well-understood.

*  On Solaris and possibly other systems, utmpx and wtmpx are being
updated incorrectly.  Solaris expects the username to be in logout
records in utmpx and particularly wtmpx.  (This, BTW, is bogus design,
because telnetd and rlogind often don't know the user name; you have
to look it up in the utmpx login record first.)  The main symptom of
this problem is last username doesn't notice the logout records for
username, although last |grep username works fine.  Again, the problem
is fairly well-understood; it's just implementing the fix.

*  There is an interesting interaction between rlogin and rlogind,
which shows up on Solaris and SunOS.  If you hit ctrl-C, the
connection is wedged if the ctrl-C is interpreted by the remote end as
an interrupt character.  (This at first was confused as a bug Barry
fixed a while back where ctrl-C interrupted rlogind as well as the
child process.  I'm fairly certain that bug has been squashed, after
looking at a similar patch recently resubmitted, and talking o people
about the problem; I fixed it this summer, possibly exposing the
wedging problem.)  The rlogind wedges problem requires more
investigation; it is not understood at this time.

	I also have been planning to make the following changes to
*  I need to rearrange the location of the compat_recvauth functions,
etc, to remove any dependency on libkrb4 by libkrb5 so shared
libraries can be simplified and will start working on AIX again.  

* Telnetd and rlogind do not properly deal with machines with multiple
A records for the same domain, or setups like the MIT dialups.  I
think ops would appreciate this getting fixed before krb5 becomes
widely deployed.  (This was the problem warlord submitted recently).
Basically, the current code does a forward resolve on the hostname,
gets an IP, connects to that address, does another forward resolve on
the hostname to cannonicalize it for a service principal, then tries
to get tickets.  If you have a round-robbin name server, the second
forward resolve gets you tickets for the wrong host.  The easiest
solution to this problem is to add an additional API for sendauth that
takes a network address and reverse resolves it instead of taking a
host name.  (We have not actually committed to fixing this bug yet,
but I think we should do so.  Besides being essential for the MIT
dialups, this is also required if we want to support multiple A
records for a single machine--something that is certainly allowed by
the RFCs.)  It would be nice if someone could do this before beta-6 as
it involves an API addition.


* There is no way to tell krlogin to accept v4 and v5 authentication
without rhosts authentication.  You can tell it to take v5 only, but
not both v and v5.  I reported this a while back, and Ted decided on
how he wanted the option processing for the krlogind command line to
work, but I haven't had time to implement.  I'm not sure this is as
big of a problem as the libpty bugs, but it will require a change in
the command line interface to krlogind, so we might want to let people
know it will eventually happen when we release beta-6.
	Besides bugs, I had received tentative approval to make the
following functionality changes.  I would like to request a waver from
the functionality freeze at beta-6 for the first change if no one else
has time to implement it before beta-6.  The second change is
something I would still like to do, but there is no reason it can't
wait until krb5 1.1 or whatever--I will either check it in on a
separate branch or just send a patch to krb5-bugs for checkin after
the 1.0 release.

*  In order to make krshd secure, it should use the checksum slot in
the authenticator to checksum its command line.  This can be done
without breaking compatability with old clients and servers; see my
previous message on this topic.

*  Over the summer I talked to Ted about adding an option to krshd,
krlogind and ktelnetd to accept any host/* key in the v5srvtab.  At
that time, I argued it would that it would be required for the
dialups.  This actually isn't quite true; in the dialup configuration
it could defeat replay caching, and if the bug fix with reverse
resolution is implemented both for Windows, Mac and Unix clients (see
above), this is unnecessary for the dialups.  However, the other
argument for the option was for multi-realmed servers--servers that
have keys directly in multiple realms or having multiple hostnames in
the same realm.  (This is the main reason I would like to see this
option; I expect to need it in a project I'm working on external to
MIT, and since I'll have to write the code anyway, I would like to
check it in eventually)