Bug#250966: marked as done (/usr/sbin/klogind: Authorization behavior not fully documented)

Mon, 05 Dec 2005 11:03:32 -0800 

Your message dated Mon, 05 Dec 2005 10:47:49 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#250966: fixed in krb5 1.4.3-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 26 May 2004 01:20:15 +0000
>From [EMAIL PROTECTED] Tue May 25 18:20:15 2004
Return-path: <[EMAIL PROTECTED]>
Received: from smtp3.stanford.edu [171.67.16.138] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1BSn5a-00083m-00; Tue, 25 May 2004 18:20:15 -0700
Received: from windlord.stanford.edu (windlord.Stanford.EDU [171.64.19.147])
        by smtp3.Stanford.EDU (8.12.11/8.12.11) with SMTP id i4Q1KDTs027824
        for <[EMAIL PROTECTED]>; Tue, 25 May 2004 18:20:14 -0700
Received: (qmail 12188 invoked by uid 1000); 26 May 2004 01:20:13 -0000
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Russ Allbery <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: /usr/sbin/klogind: Authorization behavior not fully documented
X-Mailer: reportbug 2.60
Date: Tue, 25 May 2004 18:20:13 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: krb5-rsh-server
Version: 1.3.3-1
Severity: normal
File: /usr/sbin/klogind
Tags: security

(Apologies if the security tag was inappropriate; I don't consider this
to be a major security hole or anything, but it does raise a security
issue, which was reportbug's definition.)

If klogind is used and configured with a default realm, and someone with
a user principal in that realm attempts to log on to an account that does
not have a .k5login file at all, that login appears to be authorized.
This may be somewhat surprising if one is not following the same namespace
as the Kerberos realm klogind is using, since the man page doesn't say
this and sort of implies that .k5login is always checked.

Ideally, it would be nice to have a switch to klogind that says "always
deny authorization if no .k5login file is present," but at the least I
think this should probably be documented in the klogind man page.

Note that this also isn't documented in the .k5login man page.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to C)

Versions of packages krb5-rsh-server depends on:
ii  krb5-config                 1.6          Configuration files for Kerberos V
ii  libc6                       2.3.2.ds1-12 GNU C Library: Shared libraries an
ii  libcomerr2                  1.35-6       The Common Error Description libra
ii  libkrb53                    1.3.3-1      MIT Kerberos runtime libraries
ii  netbase                     4.16         Basic TCP/IP networking system

-- no debconf information

---------------------------------------
Received: (at 250966-close) by bugs.debian.org; 5 Dec 2005 18:52:47 +0000
>From [EMAIL PROTECTED] Mon Dec 05 10:52:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1EjLNN-0006Ny-Ix; Mon, 05 Dec 2005 10:47:49 -0800
From: Russ Allbery <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#250966: fixed in krb5 1.4.3-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 05 Dec 2005 10:47:49 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4

Source: krb5
Source-Version: 1.4.3-3

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-admin-server_1.4.3-3_i386.deb
krb5-clients_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-clients_1.4.3-3_i386.deb
krb5-doc_1.4.3-3_all.deb
  to pool/main/k/krb5/krb5-doc_1.4.3-3_all.deb
krb5-ftpd_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-ftpd_1.4.3-3_i386.deb
krb5-kdc_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-kdc_1.4.3-3_i386.deb
krb5-rsh-server_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-rsh-server_1.4.3-3_i386.deb
krb5-telnetd_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-telnetd_1.4.3-3_i386.deb
krb5-user_1.4.3-3_i386.deb
  to pool/main/k/krb5/krb5-user_1.4.3-3_i386.deb
krb5_1.4.3-3.diff.gz
  to pool/main/k/krb5/krb5_1.4.3-3.diff.gz
krb5_1.4.3-3.dsc
  to pool/main/k/krb5/krb5_1.4.3-3.dsc
libkadm55_1.4.3-3_i386.deb
  to pool/main/k/krb5/libkadm55_1.4.3-3_i386.deb
libkrb5-dev_1.4.3-3_i386.deb
  to pool/main/k/krb5/libkrb5-dev_1.4.3-3_i386.deb
libkrb53_1.4.3-3_i386.deb
  to pool/main/k/krb5/libkrb53_1.4.3-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  4 Dec 2005 11:37:40 -0800
Source: krb5
Binary: krb5-doc libkrb5-dev krb5-rsh-server krb5-user krb5-ftpd libkadm55 
libkrb53 krb5-clients krb5-telnetd krb5-kdc krb5-admin-server
Architecture: source i386 all
Version: 1.4.3-3
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
 krb5-doc   - Documentation for MIT Kerberos
 krb5-ftpd  - Secure FTP server supporting MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
 krb5-telnetd - Secure telnet server supporting MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libkadm55  - MIT Kerberos administration runtime libraries
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - MIT Kerberos runtime libraries
Closes: 232431 250966 261712 330925 333161 341608
Changes: 
 krb5 (1.4.3-3) unstable; urgency=low
 .
   * Additional internal pthread symbols have to be declared weak on Hurd.
     Thanks, Michael Banck.  (Closes: #341608)
   * Build on GNU/kFreeBSD.  Thanks, Petr Salinger.  (Closes: #261712)
   * Change the default KDC enctype to 3DES to match upstream (the
     difference was probably a mismerge).
   * Remove /etc/default/krb5-admin-server on purge.  (Closes: #333161)
   * Document the behavior of klogind and kshd if the user has no .k5login
     file.  Remove vestigial .rhosts references.  (Closes: #250966)
   * Document krb5-rsh-server authorization defaults in README.Debian.
   * Enable kinit -a to match the man page.  (Closes: #232431)
   * Remove the patch to tightly bind libkrb4 to libdes425.  This should no
     longer be necessary with symbol versioning.
   * Upstream has removed the file with questionable licensing, so the
     upstream tarball is no longer repacked.  Remove the get-orig-source
     target in debian/rules and the notes in copyright and README.Debian.
   * Add a watch file.
   * Translation updates.
     - German, thanks jens.  (Closes: #330925)
Files: 
 67c5024f9c00bde558b5cf4d94510241 830 net standard krb5_1.4.3-3.dsc
 672999f97375ebbe33db74f8e216c746 1446109 net standard krb5_1.4.3-3.diff.gz
 765c745ceb968c9bbb39477079980b93 852204 doc optional krb5-doc_1.4.3-3_all.deb
 48b3fef7b8702dc2524f9dcf9f981f2f 167814 libs optional 
libkadm55_1.4.3-3_i386.deb
 0e639e521dfabe5c01420616f077a3ac 355662 libs standard libkrb53_1.4.3-3_i386.deb
 1794162d7fc347573e9650ecd718b181 119114 net optional krb5-user_1.4.3-3_i386.deb
 4cae06ec06529f4648446098058d0330 190266 net optional 
krb5-clients_1.4.3-3_i386.deb
 aca095ade79b4585470f275084b0bdc9 75424 net optional 
krb5-rsh-server_1.4.3-3_i386.deb
 69f696fecaeb2311257d98c341748754 54108 net extra krb5-ftpd_1.4.3-3_i386.deb
 0052f4ac2a469eaa309102faf03eef4a 59562 net extra krb5-telnetd_1.4.3-3_i386.deb
 a6019e03e9a26526e6fb015e2db42649 121932 net optional krb5-kdc_1.4.3-3_i386.deb
 7be170ed0759c6391c1ff00e877457d0 71882 net optional 
krb5-admin-server_1.4.3-3_i386.deb
 6d1d331dfccfef33506f81842d9c7d7f 79454 libdevel extra 
libkrb5-dev_1.4.3-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDk0pU+YXjQAr8dHYRApd7AJ0ZK6zH5BVblUQKMuhzQPurRWq93gCgpkxQ
iULYXAA7bsymmPYJAsn6kc0=
=ba/R
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to