Attachment #1956 for bug #1780





extern ServerOptions	 options;

int
ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
{
	if (options.use_kuserok)
		return krb5_kuserok(krb5_ctx, krb5_user, client);
	else {
		char kuser[65];

		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
			return 0;
		return strcmp(kuser, client) == 0;
	}
}

static int
krb5_init(void *context)
{

	if (problem)
		goto out;

	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
		problem = -1;
		goto out;
	}

Lines 57-62 extern ServerOptions options; Link Here

(-)openssh-5.6p1/gss-serv-krb5.c.kuserok (-1 / +2 lines)
57	#endif	57	#endif
58		58
59	static krb5_context krb_context = NULL;	59	static krb5_context krb_context = NULL;
		60	extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
60		61
61	/* Initialise the krb5 library, for the stuff that GSSAPI won't do */	62	/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
62		63
Lines 97-103 ssh_gssapi_krb5_userok(ssh_gssapi_client Link Here
97	krb5_get_err_text(krb_context, retval));	98	krb5_get_err_text(krb_context, retval));
98	return 0;	99	return 0;
99	}	100	}
100	if (krb5_kuserok(krb_context, princ, name)) {	101	if (ssh_krb5_kuserok(krb_context, princ, name)) {
101	retval = 1;	102	retval = 1;
102	logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",	103	logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
103	name, (char *)client->displayname.value);	104	name, (char *)client->displayname.value);

Lines 138-143 initialize_server_options(ServerOptions Link Here

(-)openssh-5.6p1/servconf.c.kuserok (-1 / +12 lines)
138	options->revoked_keys_file = NULL;	138	options->revoked_keys_file = NULL;
139	options->trusted_user_ca_keys = NULL;	139	options->trusted_user_ca_keys = NULL;
140	options->authorized_principals_file = NULL;	140	options->authorized_principals_file = NULL;
		141	options->use_kuserok = -1;
141	}	142	}
142		143
143	void	144	void
Lines 286-291 fill_default_server_options(ServerOption Link Here
286	if (use_privsep == -1)	287	if (use_privsep == -1)
287	use_privsep = 1;	288	use_privsep = 1;
288		289
		290	if (options->use_kuserok == -1)
		291	options->use_kuserok = 1;
289	#ifndef HAVE_MMAP	292	#ifndef HAVE_MMAP
290	if (use_privsep && options->compression == 1) {	293	if (use_privsep && options->compression == 1) {
291	error("This platform does not support both privilege "	294	error("This platform does not support both privilege "
Lines 307-313 typedef enum { Link Here
307	sPermitRootLogin, sLogFacility, sLogLevel,	310	sPermitRootLogin, sLogFacility, sLogLevel,
308	sRhostsRSAAuthentication, sRSAAuthentication,	311	sRhostsRSAAuthentication, sRSAAuthentication,
309	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,	312	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
310	sKerberosGetAFSToken,	313	sKerberosGetAFSToken, sKerberosUseKuserok,
311	sKerberosTgtPassing, sChallengeResponseAuthentication,	314	sKerberosTgtPassing, sChallengeResponseAuthentication,
312	sPasswordAuthentication, sKbdInteractiveAuthentication,	315	sPasswordAuthentication, sKbdInteractiveAuthentication,
313	sListenAddress, sAddressFamily,	316	sListenAddress, sAddressFamily,
Lines 377-387 static struct { Link Here
377	#else	380	#else
378	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	381	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
379	#endif	382	#endif
		383	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
380	#else	384	#else
381	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },	385	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
382	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },	386	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
383	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },	387	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
384	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	388	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
		389	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
385	#endif	390	#endif
386	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },	391	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
387	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },	392	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Lines 1341-1346 process_server_config_line(ServerOptions Link Here
1341	*activep = value;	1346	*activep = value;
1342	break;	1347	break;
1343		1348
		1349	case sKerberosUseKuserok:
		1350	intptr = &options->use_kuserok;
		1351	goto parse_flag;
		1352
1344	case sPermitOpen:	1353	case sPermitOpen:
1345	arg = strdelim(&cp);	1354	arg = strdelim(&cp);
1346	if (!arg \|\| *arg == '\0')	1355	if (!arg \|\| *arg == '\0')
Lines 1525-1530 copy_set_server_options(ServerOptions *d Link Here
1525	M_CP_INTOPT(x11_use_localhost);	1534	M_CP_INTOPT(x11_use_localhost);
1526	M_CP_INTOPT(max_sessions);	1535	M_CP_INTOPT(max_sessions);
1527	M_CP_INTOPT(max_authtries);	1536	M_CP_INTOPT(max_authtries);
		1537	M_CP_INTOPT(use_kuserok);
1528		1538
1529	M_CP_STROPT(banner);	1539	M_CP_STROPT(banner);
1530	if (preauth)	1540	if (preauth)
Lines 1745-1750 dump_config(ServerOptions *o) Link Here
1745	dump_cfg_fmtint(sUseDNS, o->use_dns);	1755	dump_cfg_fmtint(sUseDNS, o->use_dns);
1746	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	1756	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1747	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	1757	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
		1758	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
1748		1759
1749	/* string arguments */	1760	/* string arguments */
1750	dump_cfg_string(sPidFile, o->pid_file);	1761	dump_cfg_string(sPidFile, o->pid_file);

Lines 157-162 typedef struct { Link Here

(-)openssh-5.6p1/servconf.h.kuserok (+1 lines)
157		157
158	int num_permitted_opens;	158	int num_permitted_opens;
159		159
		160	int use_kuserok;
160	char *chroot_directory;	161	char *chroot_directory;
161	char *revoked_keys_file;	162	char *revoked_keys_file;
162	char *trusted_user_ca_keys;	163	char *trusted_user_ca_keys;

Lines 564-569 Specifies whether to automatically destr Link Here

(-)openssh-5.6p1/sshd_config.5.kuserok (+5 lines)
564	file on logout.	564	file on logout.
565	The default is	565	The default is
566	.Dq yes .	566	.Dq yes .
		567	.It Cm KerberosUseKuserok
		568	Specifies whether to look at .k5login file for user's aliases.
		569	The default is
		570	.Dq yes .
567	.It Cm KeyRegenerationInterval	571	.It Cm KeyRegenerationInterval
568	In protocol version 1, the ephemeral server key is automatically regenerated	572	In protocol version 1, the ephemeral server key is automatically regenerated
569	after this many seconds (if it has been used).	573	after this many seconds (if it has been used).
Lines 694-699 Available keywords are Link Here
694	.Cm HostbasedUsesNameFromPacketOnly ,	698	.Cm HostbasedUsesNameFromPacketOnly ,
695	.Cm KbdInteractiveAuthentication ,	699	.Cm KbdInteractiveAuthentication ,
696	.Cm KerberosAuthentication ,	700	.Cm KerberosAuthentication ,
		701	.Cm KerberosUseKuserok ,
697	.Cm MaxAuthTries ,	702	.Cm MaxAuthTries ,
698	.Cm MaxSessions ,	703	.Cm MaxSessions ,
699	.Cm PubkeyAuthentication ,	704	.Cm PubkeyAuthentication ,

Lines 72-77 ChallengeResponseAuthentication no Link Here

(-)openssh-5.6p1/sshd_config.kuserok (+1 lines)
72	#KerberosOrLocalPasswd yes	72	#KerberosOrLocalPasswd yes
73	#KerberosTicketCleanup yes	73	#KerberosTicketCleanup yes
74	#KerberosGetAFSToken no	74	#KerberosGetAFSToken no
		75	#KerberosUseKuserok yes
75		76
76	# GSSAPI options	77	# GSSAPI options
77	#GSSAPIAuthentication no	78	#GSSAPIAuthentication no

Return to bug 1780

Lines 54-59 Link Here

(-)openssh-5.6p1/auth-krb5.c.kuserok (-1 / +15 lines)
54		54
55	extern ServerOptions options;	55	extern ServerOptions options;
56		56
		57	int
		58	ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
		59	{
		60	if (options.use_kuserok)
		61	return krb5_kuserok(krb5_ctx, krb5_user, client);
		62	else {
		63	char kuser[65];
		64
		65	if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
		66	return 0;
		67	return strcmp(kuser, client) == 0;
		68	}
		69	}
		70
57	static int	71	static int
58	krb5_init(void *context)	72	krb5_init(void *context)
59	{	73	{
Lines 146-152 auth_krb5_password(Authctxt *authctxt, c Link Here
146	if (problem)	160	if (problem)
147	goto out;	161	goto out;
148		162
149	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {	163	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
150	problem = -1;	164	problem = -1;
151	goto out;	165	goto out;
152	}	166	}