Chris Chiappa <griffon+heimdal-discuss@snurgle.org> writes:
> Since these seem to not have made it into 0.3f final I've made an
> accumulated diff.
We're not always very fast when it comes to feedback.
> * ktutil list of an empty keytab segfaults. To reproduce:
> ktutil --keytab=krb4:/dev/null list
Fixed, but slightly different.
> * kinit can convert to v4 when renewing v5 tickets (me) and the
> --524convert switch for kinit to convert from v5 to v4 without any
> other actions (Derrick Brashear)
I have some similar changes, that does more. I'll try to finish them
in not too long.
> * kinit warns of errors with v4 ticket files
Will include.
> * A tweak in gssapi/verify_mic.c which prevents the Krb5 patches for Openssh
> ( http://www.sxw.org.uk/computing/patches/openssh.html ) from segfaulting.
I think we fixed this differently.
It's always (as far as I can tell) wrong to use a key different from
the remote subkey when verifying remote packets. We should have set
the remote subkey in krb5_rd_rep, and do now. So the remote subkey
should now be the correct one, also for clients in mutual mode. The
relevant patch for rd_rep looks like:
--- rd_rep.c 2001/05/14 06:14:50 1.21
+++ rd_rep.c 2001/06/18 02:13:34
@@ -97,7 +97,10 @@
goto out;
}
if ((*repl)->seq_number)
- auth_context->remote_seqnumber = *((*repl)->seq_number);
+ krb5_auth_con_setremoteseqnumber(context, auth_context,
+ *((*repl)->seq_number));
+ if ((*repl)->subkey)
+ krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
out:
krb5_data_free (&data);
Can perhaps Derrick verify that this does what he wants?
> * A change to convert_creds which makes v4 tickets useful with
> renewable v5 tickets (like MIT behavior).
Fixed. Now also API-compatible with MIT.
> * A couple of implicit decls in telnet (harmless)
These should be in 0.3f.
/Johan