Attachment #1859 for bug #1780

Lines 146-154 auth_krb5_password(Authctxt *authctxt, c Link Here

(-)openssh-5.5p1/auth-krb5.c.kuserok (-3 / +5 lines)
146	if (problem)	146	if (problem)
147	goto out;	147	goto out;
148		148
149	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {	149	if (options.use_kuserok) {
150	problem = -1;	150	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
151	goto out;	151	problem = -1;
		152	goto out;
		153	}
152	}	154	}
153		155
154	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);	156	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);

Lines 137-142 initialize_server_options(ServerOptions Link Here

(-)openssh-5.5p1/servconf.c.kuserok (-1 / +12 lines)
137	options->zero_knowledge_password_authentication = -1;	137	options->zero_knowledge_password_authentication = -1;
138	options->revoked_keys_file = NULL;	138	options->revoked_keys_file = NULL;
139	options->trusted_user_ca_keys = NULL;	139	options->trusted_user_ca_keys = NULL;
		140	options->use_kuserok = -1;
140	}	141	}
141		142
142	void	143	void
Lines 285-290 fill_default_server_options(ServerOption Link Here
285	if (use_privsep == -1)	286	if (use_privsep == -1)
286	use_privsep = 1;	287	use_privsep = 1;
287		288
		289	if (options->use_kuserok == -1)
		290	options->use_kuserok = 1;
288	#ifndef HAVE_MMAP	291	#ifndef HAVE_MMAP
289	if (use_privsep && options->compression == 1) {	292	if (use_privsep && options->compression == 1) {
290	error("This platform does not support both privilege "	293	error("This platform does not support both privilege "
Lines 306-312 typedef enum { Link Here
306	sPermitRootLogin, sLogFacility, sLogLevel,	309	sPermitRootLogin, sLogFacility, sLogLevel,
307	sRhostsRSAAuthentication, sRSAAuthentication,	310	sRhostsRSAAuthentication, sRSAAuthentication,
308	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,	311	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
309	sKerberosGetAFSToken,	312	sKerberosGetAFSToken, sKerberosUseKuserok,
310	sKerberosTgtPassing, sChallengeResponseAuthentication,	313	sKerberosTgtPassing, sChallengeResponseAuthentication,
311	sPasswordAuthentication, sKbdInteractiveAuthentication,	314	sPasswordAuthentication, sKbdInteractiveAuthentication,
312	sListenAddress, sAddressFamily,	315	sListenAddress, sAddressFamily,
Lines 376-386 static struct { Link Here
376	#else	379	#else
377	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	380	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
378	#endif	381	#endif
		382	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
379	#else	383	#else
380	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },	384	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
381	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },	385	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
382	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },	386	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
383	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	387	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
		388	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
384	#endif	389	#endif
385	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },	390	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
386	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },	391	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Lines 1335-1340 process_server_config_line(ServerOptions Link Here
1335	*activep = value;	1340	*activep = value;
1336	break;	1341	break;
1337		1342
		1343	case sKerberosUseKuserok:
		1344	intptr = &options->use_kuserok;
		1345	goto parse_flag;
		1346
1338	case sPermitOpen:	1347	case sPermitOpen:
1339	arg = strdelim(&cp);	1348	arg = strdelim(&cp);
1340	if (!arg \|\| *arg == '\0')	1349	if (!arg \|\| *arg == '\0')
Lines 1517-1522 copy_set_server_options(ServerOptions *d Link Here
1517	M_CP_INTOPT(x11_use_localhost);	1526	M_CP_INTOPT(x11_use_localhost);
1518	M_CP_INTOPT(max_sessions);	1527	M_CP_INTOPT(max_sessions);
1519	M_CP_INTOPT(max_authtries);	1528	M_CP_INTOPT(max_authtries);
		1529	M_CP_INTOPT(use_kuserok);
1520		1530
1521	M_CP_STROPT(banner);	1531	M_CP_STROPT(banner);
1522	if (preauth)	1532	if (preauth)
Lines 1734-1739 dump_config(ServerOptions *o) Link Here
1734	dump_cfg_fmtint(sUseDNS, o->use_dns);	1744	dump_cfg_fmtint(sUseDNS, o->use_dns);
1735	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	1745	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1736	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	1746	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
		1747	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
1737		1748
1738	/* string arguments */	1749	/* string arguments */
1739	dump_cfg_string(sPidFile, o->pid_file);	1750	dump_cfg_string(sPidFile, o->pid_file);

Lines 157-162 typedef struct { Link Here

(-)openssh-5.5p1/servconf.h.kuserok (+1 lines)
157		157
158	int num_permitted_opens;	158	int num_permitted_opens;
159		159
		160	int use_kuserok;
160	char *chroot_directory;	161	char *chroot_directory;
161	char *revoked_keys_file;	162	char *revoked_keys_file;
162	char *trusted_user_ca_keys;	163	char *trusted_user_ca_keys;

Lines 519-524 Specifies whether to automatically destr Link Here

(-)openssh-5.5p1/sshd_config.5.kuserok (+5 lines)
519	file on logout.	519	file on logout.
520	The default is	520	The default is
521	.Dq yes .	521	.Dq yes .
		522	.It Cm KerberosUseKuserok
		523	Specifies whether to look at .k5login file for user's aliases.
		524	The default is
		525	.Dq yes .
522	.It Cm KeyRegenerationInterval	526	.It Cm KeyRegenerationInterval
523	In protocol version 1, the ephemeral server key is automatically regenerated	527	In protocol version 1, the ephemeral server key is automatically regenerated
524	after this many seconds (if it has been used).	528	after this many seconds (if it has been used).
Lines 644-649 Available keywords are Link Here
644	.Cm HostbasedAuthentication ,	648	.Cm HostbasedAuthentication ,
645	.Cm KbdInteractiveAuthentication ,	649	.Cm KbdInteractiveAuthentication ,
646	.Cm KerberosAuthentication ,	650	.Cm KerberosAuthentication ,
		651	.Cm KerberosUseKuserok ,
647	.Cm MaxAuthTries ,	652	.Cm MaxAuthTries ,
648	.Cm MaxSessions ,	653	.Cm MaxSessions ,
649	.Cm PasswordAuthentication ,	654	.Cm PasswordAuthentication ,

Lines 72-77 ChallengeResponseAuthentication no Link Here

(-)openssh-5.5p1/sshd_config.kuserok (+1 lines)
72	#KerberosOrLocalPasswd yes	72	#KerberosOrLocalPasswd yes
73	#KerberosTicketCleanup yes	73	#KerberosTicketCleanup yes
74	#KerberosGetAFSToken no	74	#KerberosGetAFSToken no
		75	#KerberosUseKuserok yes
75		76
76	# GSSAPI options	77	# GSSAPI options
77	#GSSAPIAuthentication no	78	#GSSAPIAuthentication no

Return to bug 1780