From rhh@ct.picker.com  Sun Dec 14 10:50:57 1997
Received: from whqvax.picker.com (whqvax.picker.com [144.54.1.1])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id KAA28057
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Dec 1997 10:50:54 -0800 (PST)
          (envelope-from rhh@ct.picker.com)
Received: from ct.picker.com by whqvax.picker.com with SMTP;
          Sun, 14 Dec 1997 13:50:23 -0500 (EST)
Received: from stealth.ct.picker.com (eagle.ct.picker.com) by ct.picker.com (4.1/SMI-4.1)
	id AA27933; Sun, 14 Dec 97 13:50:19 EST
Received: (from rhh@localhost)
	by stealth.ct.picker.com (8.8.8/8.8.8) id NAA04476;
	Sun, 14 Dec 1997 13:51:20 GMT
	(envelope-from rhh)
Message-Id: <199712141351.NAA04476@stealth.ct.picker.com>
Date: Sun, 14 Dec 1997 13:51:20 GMT
From: rhh@ct.picker.com
Reply-To: rhh@ct.picker.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: rhh@ct.picker.com
Subject: DES dist (req'd by PPP) defaults to kerberos auth enable
X-Send-Pr-Version: 3.2

>Number:         5293
>Category:       bin
>Synopsis:       DES dist (req'd by PPP) defaults to kerberos auth enable
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 14 11:00:01 PST 1997
>Closed-Date:    Sat Jun 27 07:22:45 PDT 1998
>Last-Modified:  Sat Jun 27 07:23:47 PDT 1998
>Originator:     Randall Hopper
>Release:        FreeBSD 3.0-971208-SNAP i386
>Organization:
self
>Environment:

	Fresh installation of 3.0-971208 SNAP.

>Description:

	Recently installed the latest 3.0 snap, and as I'd seen in the
	lists, ppp now links with DES for Microsoft authentication. Confirmed
	this by running PPP w/o the DES dist installed and seeing that it 
	wouldn't dynlink.

	After decompressing the DES dist, I find that "su" now tries to 
	do Kerberos ACL lookups.  Each su generates a dozen or so bogus 
	DNS lookups to krb4-realm, and then fails with something like 
	"... not in root's ACL list".  It then lets you get to root.

>How-To-Repeat:

	On a 971208-SNAP system without the DES package installed.  ppp
	doesn't dynlink.  Install DES, then run "su".

>Fix:
	
	Since ppp now requires DES, and many FreeBSD-at-home folks run PPP
	but have no want/need for running Kerberos, the better fix might 
	be to have the DES dist not enable Kerberos by default.

        Alternatively, split the DES dist into two dists.  DESLIB with
	library dependencies only (for PPP, etc.), and a separate 
	KERBEROS dist.

	Either way, this probably deserves a mention in the FAQ/handbook in
	the PPP section.  My searches for "PPP AND DES" in the top section
	of the search page didn't reveal anything describing my "PPP w/ DES
	w/o kerberos" question.

	I really don't think an acceptable solution would be to require 
	everyone wanting to run PPP to learn how to turn off the 
	enabled-by-default Kerberos in the DES dist, though that is of course 
	one possible fix as well.  (Note that I do have all the kerberos 
	options in rc.conf set to NO [kerberos_server_enable and
	kadmind_server_enable]).

	My hack work-around for this problem was to install the DES dist, and 
	then selectively reinstall the bin and lib dirs in the BIN dist 
	overtop of this (to restore the original libcrypt.*, init, ed, etc.).

>Release-Note:
>Audit-Trail:

From: Brian Somers <brian@awfulhak.org>
To: rhh@ct.picker.com
Cc: FreeBSD-gnats-submit@freebsd.org, Jordan Hubbard <jkh@freebsd.org>
Subject: Re: bin/5293: DES dist (req'd by PPP) defaults to kerberos auth enable 
Date: Tue, 16 Dec 1997 02:00:57 +0000

 [Jordan cc'd]
 
 > >Number:         5293
 > >Category:       bin
 > >Synopsis:       DES dist (req'd by PPP) defaults to kerberos auth enable
 [.....]
 > 	On a 971208-SNAP system without the DES package installed.  ppp
 > 	doesn't dynlink.  Install DES, then run "su".
 
 If ppp is built on a machine without DES, it won't need DES (and 
 M$-CHAP will be disabled).  This sounds like you've `poluted' your 
 non-DES machine with some DES binaries (or have you done a binary 
 installation ? - if so, the problem is with `make release').
 
 > >Fix:
 > 	
 > 	Since ppp now requires DES, and many FreeBSD-at-home folks run PPP
 > 	but have no want/need for running Kerberos, the better fix might 
 > 	be to have the DES dist not enable Kerberos by default.
 [.....]
 
 I've got des installed on one of my machines here, without the 
 necessity for Kerberos.
 
 Maybe it's getting close to the time where we've gotta sort out the 
 -ldes stuff in release..... Jordan ?
 -- 
 Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
       <http://www.Awfulhak.org>
 Don't _EVER_ lose your sense of humour....
 
 

From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
To: Brian Somers <brian@awfulhak.org>
Cc: rhh@ct.picker.com, FreeBSD-gnats-submit@freebsd.org,
        Jordan Hubbard <jkh@freebsd.org>
Subject: Re: bin/5293: DES dist (req'd by PPP) defaults to kerberos auth enable 
Date: Mon, 15 Dec 1997 19:00:24 -0800

 > Maybe it's getting close to the time where we've gotta sort out the 
 > -ldes stuff in release..... Jordan ?
 
 I haven't really looked into this at all.  I'm open to suggestions. :)
 
 					Jordan

From: Brian Somers <brian@awfulhak.org>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Cc: Brian Somers <brian@awfulhak.org>, rhh@ct.picker.com,
        FreeBSD-gnats-submit@freebsd.org, Jordan Hubbard <jkh@freebsd.org>
Subject: Re: bin/5293: DES dist (req'd by PPP) defaults to kerberos auth enable 
Date: Tue, 16 Dec 1997 03:19:10 +0000

 > > Maybe it's getting close to the time where we've gotta sort out the 
 > > -ldes stuff in release..... Jordan ?
 > 
 > I haven't really looked into this at all.  I'm open to suggestions. :)
 > 
 > 					Jordan
 
 Perhaps the best approach is to swallow the additional build time 
 and recompile stuff for `the crunch' - with an additional (say) 
 -DBUILD_CRUNCH.  I'll have a poke around and get back to you.
 
 Cheers.
 
 -- 
 Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
       <http://www.Awfulhak.org>
 Don't _EVER_ lose your sense of humour....
 
 
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: phk 
Responsible-Changed-When: Tue May 19 22:50:52 PDT 1998 
Responsible-Changed-Why:  
ppp-man takes over ? 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Sat Jun 27 07:22:45 PDT 1998 
State-Changed-Why:  
Fixed yesterday in -current & RELENG_2_2 
>Unformatted:
