3.0.2 AFS login problem, Solaris 2.5.1

[Peter Scott]

At 01:27 PM 1/4/02 -0800, Booker C. Bense wrote:
> > The server (in debug mode) at this point says:
> >    debug1: attempt 2 failures 2
> >    kerberos-iv/udp unknown service, using default port 750
> >    Kerberos v4 TGT for joeuser unverifiable: Principal unknown
> > (kerberos);   rcmd.grimble not registered, or srvtab is wrong?
> >    debug1: krb4_cleanup_proc called
> >    Failed password for joeuser from 123.45.67.89 port 34375 ssh2
>
>- You need a srvtab for your machine to accept kerberos 4 logins.
>Accepting logins without verifying them against a srvtab is not
>considered acceptable security practice by most people.
>
> > I am suspecting that ka_UserAuthenticateGeneral is what talks over 7004 and
> > that if I could make an equivalent patch to 3.0.2 that would use it, I'd be
> > able to talk to our kaserver. [snip]
> > I tried a naive patch to 3.0.2 to use ka_UserAuthenticateGeneral and I
> > couldn't even get it to link; usually I eventually figure out an order of
> > all those wretched AFS libraries that works but not this time.
> >
> > Why doesn't 3.0.2 call ka_UserAuthenticateGeneral?
>
>- Because it's insecure?

Thanks for this information.  I've read the thread and URL you 
provided.  If you don't mind what may be a stupid question - does this 
imply that the stock AFS login - or at least the Transarc one we are using 
- is insecure?  Because all it has to go on is a username and password, and 
we already know that the kaservers don't have a srvtab for the client 
machine.  If it isn't insecure, what makes it secure?  I looked in OpenAFS 
source and if I'm looking at the right place, the login does call 
ka_UserAuthenticateGeneral... and without a srvtab for the client how can 
that be good enough?
--
Peter Scott
Peter.J.Scott at jpl.nasa.gov