Subject: security/9467: HESIOD does not work properly
To: None <gnats-bugs@gnats.netbsd.org>
From: None <rslr@neurocom.com>
List: netbsd-bugs
Date: 02/22/2000 09:51:39
>Number: 9467
>Category: security
>Synopsis: HESIOD does not work properly
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: security-officer (NetBSD Security Officer)
>State: open
>Class: support
>Submitter-Id: net
>Arrival-Date: Tue Feb 22 09:50:59 2000
>Last-Modified:
>Originator: de SAINT LEGER Rodolphe
>Organization:
NEUROCOM
>Release: 1.4.1
>Environment:
netbsd amiga (m68k)
>Description:
HESIOD implementation of netbsd has some serious bugs...
the local mail doesn't work anymore when HESIOD is active.
the base .gid has to be registered ad .group
Kerberos is not Y2K compliant (krbtgt always expire)
Ex for HESIOD:
200.group HS CNAME naomi.group
naomi.group HS TXT naomi:*:200:
this bug is critical for users authentication... :(
>How-To-Repeat:
make a working HESIOD database for named
(use the official athena description),
launch named, and setup your resolv.conf properly.
modify your nsswitch.conf like this:
group: dns files
passwd: dns files
first try the standard mail program
you should have a core dump.
then, make a chown with an HESIOD user and group.
the user should be correct, but you'll have a number instead of your group.
modify your HESIOD database, pour group instead of gid, now,
you'll have the correct groupname.
now, for kerberos,
setup your krb.conf and krb.realms,
launch kdb_init,
launch kstash,
launch kdb_edit to add a new user.
setup rc.conf to activate kerberos daemon, reboot the machine.
type passwd <username>
you should have in the kerberos log
...EXPIRE ...(krbtgt)...
>Fix:
>Audit-Trail:
>Unformatted: