| Summary: | Local user name in krb5_kuserok call | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Miguel Sanders <miguel.sanders> | ||||||||
| Component: | Kerberos support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED FIXED | ||||||||||
| Severity: | normal | CC: | djm, dtucker | ||||||||
| Priority: | P5 | ||||||||||
| Version: | 6.0p1 | ||||||||||
| Hardware: | PPC | ||||||||||
| OS: | AIX | ||||||||||
| Bug Depends on: | |||||||||||
| Bug Blocks: | 2130 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 2180 [details]
Patch
unfortunately it's too late for 6.1 (the openbsd release is already cut) so targeting 6.2 Created attachment 2195 [details]
revised patch
The reporter's patch no longer applies as there is no longer any call to krb5_kuserok() in auth1.c. I think this one is correct.
retarget to openssh-6.3 Retarget to openssh-6.4 Retarget 6.3 -> 6.4 applied - this will be in openssh-6.4p1. Thanks! Close all resolved bugs after 7.3p1 release |
Created attachment 2179 [details] Patch Hi Darren Apparently, I made a small mistake when implementing #1583 back in 5.4p1 @@ -146,7 +146,7 @@ if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client". However, if AUTH_DOMAIN is set, "client" will be of the form USER@REALM, which breaks the call. As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing #1583. Can you please push the attached patch? Thanks! Miguel