Bugzilla – Attachment 1859 Details for
Bug 1780
Option to disable .k5login support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed solution
openssh-5.5p1-kuserok.patch (text/plain), 4.71 KB, created by
jchadima
on 2010-06-14 17:47:01 AEST
(
hide
)
Description:
Proposed solution
Filename:
MIME Type:
Creator:
jchadima
Created:
2010-06-14 17:47:01 AEST
Size:
4.71 KB
patch
obsolete
>diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c >--- openssh-5.5p1/auth-krb5.c.kuserok 2010-06-08 11:40:10.000000000 +0200 >+++ openssh-5.5p1/auth-krb5.c 2010-06-08 11:40:11.000000000 +0200 >@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c > if (problem) > goto out; > >- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { >- problem = -1; >- goto out; >+ if (options.use_kuserok) { >+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { >+ problem = -1; >+ goto out; >+ } > } > > problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); >diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c >--- openssh-5.5p1/servconf.c.kuserok 2010-06-08 11:40:10.000000000 +0200 >+++ openssh-5.5p1/servconf.c 2010-06-08 11:46:20.000000000 +0200 >@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions > options->zero_knowledge_password_authentication = -1; > options->revoked_keys_file = NULL; > options->trusted_user_ca_keys = NULL; >+ options->use_kuserok = -1; > } > > void >@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption > if (use_privsep == -1) > use_privsep = 1; > >+ if (options->use_kuserok == -1) >+ options->use_kuserok = 1; > #ifndef HAVE_MMAP > if (use_privsep && options->compression == 1) { > error("This platform does not support both privilege " >@@ -306,7 +309,7 @@ typedef enum { > sPermitRootLogin, sLogFacility, sLogLevel, > sRhostsRSAAuthentication, sRSAAuthentication, > sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, >- sKerberosGetAFSToken, >+ sKerberosGetAFSToken, sKerberosUseKuserok, > sKerberosTgtPassing, sChallengeResponseAuthentication, > sPasswordAuthentication, sKbdInteractiveAuthentication, > sListenAddress, sAddressFamily, >@@ -376,11 +379,13 @@ static struct { > #else > { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, > #endif >+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL }, > #else > { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, > { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, > { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, > { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, >+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL }, > #endif > { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, > { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, >@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions > *activep = value; > break; > >+ case sKerberosUseKuserok: >+ intptr = &options->use_kuserok; >+ goto parse_flag; >+ > case sPermitOpen: > arg = strdelim(&cp); > if (!arg || *arg == '\0') >@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d > M_CP_INTOPT(x11_use_localhost); > M_CP_INTOPT(max_sessions); > M_CP_INTOPT(max_authtries); >+ M_CP_INTOPT(use_kuserok); > > M_CP_STROPT(banner); > if (preauth) >@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sUseDNS, o->use_dns); > dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); >+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); > > /* string arguments */ > dump_cfg_string(sPidFile, o->pid_file); >diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h >--- openssh-5.5p1/servconf.h.kuserok 2010-06-08 11:40:10.000000000 +0200 >+++ openssh-5.5p1/servconf.h 2010-06-08 11:40:11.000000000 +0200 >@@ -157,6 +157,7 @@ typedef struct { > > int num_permitted_opens; > >+ int use_kuserok; > char *chroot_directory; > char *revoked_keys_file; > char *trusted_user_ca_keys; >diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 >--- openssh-5.5p1/sshd_config.5.kuserok 2010-06-08 11:40:10.000000000 +0200 >+++ openssh-5.5p1/sshd_config.5 2010-06-08 11:40:11.000000000 +0200 >@@ -519,6 +519,10 @@ Specifies whether to automatically destr > file on logout. > The default is > .Dq yes . >+.It Cm KerberosUseKuserok >+Specifies whether to look at .k5login file for user's aliases. >+The default is >+.Dq yes . > .It Cm KeyRegenerationInterval > In protocol version 1, the ephemeral server key is automatically regenerated > after this many seconds (if it has been used). >@@ -644,6 +648,7 @@ Available keywords are > .Cm HostbasedAuthentication , > .Cm KbdInteractiveAuthentication , > .Cm KerberosAuthentication , >+.Cm KerberosUseKuserok , > .Cm MaxAuthTries , > .Cm MaxSessions , > .Cm PasswordAuthentication , >diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config >--- openssh-5.5p1/sshd_config.kuserok 2010-06-08 11:40:10.000000000 +0200 >+++ openssh-5.5p1/sshd_config 2010-06-08 11:40:11.000000000 +0200 >@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no >+#KerberosUseKuserok yes > > # GSSAPI options > #GSSAPIAuthentication no
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1859">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1780
:
1859
|
1927
|
1956