From gjbroom@kinsella.csc.UVic.CA  Thu Jan 25 16:27:47 1996
Received: from kinsella.csc.UVic.CA (kinsella.csc.UVic.CA [142.104.100.119])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA20928
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Jan 1996 16:27:44 -0800 (PST)
Received: (from gjbroom@localhost) by kinsella.csc.UVic.CA (8.6.12/8.6.12) id QAA21837; Thu, 25 Jan 1996 16:27:46 -0800
Message-Id: <199601260027.QAA21837@kinsella.csc.UVic.CA>
Date: Thu, 25 Jan 1996 16:27:46 -0800
From: Gord Broom <gjbroom@kinsella.csc.UVic.CA>
Reply-To: gjbroom@kinsella.csc.UVic.CA
To: FreeBSD-gnats-submit@freebsd.org
Subject: inetd.conf should comment out k-services if no Kerberos present
X-Send-Pr-Version: 3.2

>Number:         972
>Category:       conf
>Synopsis:       inetd.conf should comment out k-services if no Kerberos present
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          support
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 25 16:30:01 PST 1996
>Closed-Date:    Wed Jan 8 13:02:38 PST 1997
>Last-Modified:  Wed Jan  8 13:04:43 PST 1997
>Originator:     Gord Broom  <gjbroom@csc.UVic.CA>   Research Programmer, University of Victoria
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
Gord Broom		Programmer/Analyst
Department of Computer Science, University of Victoria, CANADA
<gjbroom@csc.UVic.CA>
"Sure, alcohol kills brain cells.  But only the weak ones."
>Environment:

	Any CD-ROM installation.

>Description:

	By default, the CD-ROM doesn't contain any DES or kerberos code.
People in the USA and Canada can legally FTP the missing bits from 
ftp.freebsd.org and install them.  If you install kerb on one machine
but not another, remote logins to the unkerb-ed machine will fail because
inetd.conf thinks that kerberos is there.

>How-To-Repeat:

	Add the kerberos package to one system but not another, try to 
	rlogin from the kerberized one. 
	

>Fix:
	
	Comment out the offending lines from inetd.conf
	Here's a patch to do just that:

*** inetd.conf	Thu Jan 25 16:20:08 1996
--- inetd.conf.new	Thu Jan 25 16:20:36 1996
***************
*** 27,36 ****
  #daytime	dgram	udp	wait	root	internal
  #time	dgram	udp	wait	root	internal
  # Kerberos authenticated services
! klogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k
! eklogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k -x
! kshell	stream	tcp	nowait	root	/usr/libexec/rshd	rshd -k
! rkinit	stream	tcp	nowait	root	/usr/libexec/rkinitd	rkinitd
  # Services run ONLY on the Kerberos server
  # Neither of these work in FreeBSD 1.x.
  #krbupdate stream tcp	nowait	root	/usr/libexec/registerd	registerd
--- 27,36 ----
  #daytime	dgram	udp	wait	root	internal
  #time	dgram	udp	wait	root	internal
  # Kerberos authenticated services
! #klogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k
! #eklogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k -x
! #kshell	stream	tcp	nowait	root	/usr/libexec/rshd	rshd -k
! #rkinit	stream	tcp	nowait	root	/usr/libexec/rkinitd	rkinitd
  # Services run ONLY on the Kerberos server
  # Neither of these work in FreeBSD 1.x.
  #krbupdate stream tcp	nowait	root	/usr/libexec/registerd	registerd

>Release-Note:
>Audit-Trail:

From: J Wunsch <j@uriah.heep.sax.de>
To: gjbroom@kinsella.csc.UVic.CA
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: conf/972: inetd.conf should comment out k-services if no Kerberos present
Date: Fri, 26 Jan 1996 09:17:39 +0100 (MET)

 As Gord Broom wrote:
 > 
 > 	By default, the CD-ROM doesn't contain any DES or kerberos code.
 > People in the USA and Canada can legally FTP the missing bits from 
 > ftp.freebsd.org and install them.  If you install kerb on one machine
 > but not another, remote logins to the unkerb-ed machine will fail because
 > inetd.conf thinks that kerberos is there.
 
 > >Fix:
 > 	
 > 	Comment out the offending lines from inetd.conf
 
 Hmm, the problem is that this f*** US policy causes us already a bunch
 of grey hears while making a release.  Now, one of the distributions
 needs an inetd.conf with it and one needs an inetd.conf without it.
 Ick. :-((
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
State-Changed-From-To: open->feedback 
State-Changed-By: scrappy 
State-Changed-When: Tue Oct 22 14:36:01 PDT 1996 
State-Changed-Why:  


Does anyone have an opinion on this one? 

Basically, since Kerberos isn't distributed on the CD, Originator 
suggests commenting out the appropriate entries in /etc/inetd.conf 

Are there any reasons, security or otherwise, where leaving them  
enabled is a bad thing? 


From: Garrett Wollman <wollman@lcs.mit.edu>
To: "Marc G. Fournier" <scrappy@freefall.freebsd.org>
Cc: freebsd-gnats-submit@freefall.freebsd.org
Subject: Re: conf/972
Date: Wed, 23 Oct 1996 12:20:00 -0400

 <<On Tue, 22 Oct 1996 14:37:58 -0700 (PDT), "Marc G. Fournier" <scrappy@freefall.freebsd.org> said:
 
 > Basically, since Kerberos isn't distributed on the CD, Originator
 > suggests commenting out the appropriate entries in /etc/inetd.conf
 
 > Are there any reasons, security or otherwise, where leaving them 
 > enabled is a bad thing?
 
 Yes.  If they are enabled, than a Kerberized host attempting to talk
 to a non-Kerberized host will see `krlogin' succeed and then
 immediately drop, rather than failing (the correct behavior).  Thus,
 the automatic fallback does not work in this case.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick
State-Changed-From-To: feedback->analyzed 
State-Changed-By: wollman 
State-Changed-When: Tue Dec 17 08:24:54 PST 1996 
State-Changed-Why:  
I think that this may have been fixed, but I'm not sure. 
State-Changed-From-To: analyzed->closed 
State-Changed-By: max 
State-Changed-When: Wed Jan 8 13:02:38 PST 1997 
State-Changed-Why:  
This change has been applied in inetd.conf Rev. 1.24. 
>Unformatted:
