Bug 2063

Summary:

RFE: export principal which was used for .k5login

Product:

Portable OpenSSH

Reporter:

Enrico Scholz <enrico.scholz>

Component:

Kerberos support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

enhancement

CC:

akkornel, andersk, fccagou, jcpunk

Priority:

Version:

6.1p1

Hardware:

Other

OS:

Linux

Attachments:

Description	Flags
Patch from openssh-portable tree at commit e7bf3a5eda	none

Description Enrico Scholz 2013-01-17 00:55:38 AEDT

It would be nice to have information which principal was used for log in 
via .k5login.  E.g. 'gitolite' uses by default ssh public keys (where real identity can be easily recorded by environment/commands in ~/.ssh/authorized_keys) and it will be trivial to implement a similar mechanism for kerberos auth, when original principal is exported somehow.

A patch is available at

http://geggus.net/sven/blogfiles/GSS_AUTH_KRB5_PRINC-env4openssh.diff


See

http://blog.gegg.us/2012/07/using-gitolite-with-kerberos-authentication/
https://groups.google.com/forum/?fromgroups=#!topic/comp.protocols.kerberos/6b7tSA-og0k

for some more discussions.

Comment 1 Anders Kaseorg 2013-06-28 06:36:45 AEST

For scripts.mit.edu we wrote this patch that doesn’t specifically depend on PAM or krb5:

https://scripts.mit.edu/trac/browser/trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch

Comment 2 Karl Kornel 2015-04-11 04:51:01 AEST

Created attachment 2580 [details]
Patch from openssh-portable tree at commit e7bf3a5eda

I've also got a patch for this.  This patch was made from the current openssh-portable tree, as of commit e7bf3a5eda.

This patch introduces a new option, GSSAPISetEnv.  By default, the option is disabled.  If the option is enabled, then the environment variable SSH_GSSAPI_DISPLAYNAME will be set when the user authenticates using GSSAPI.  The environment variable is also made available to the PAM environment, if PAM is enabled.

In my case, I went for the GSSAPI display name because I saw it was being used in debug messages (gss-serv-krb5.c lines 104-105).  I also saw the display name being made available in gsasl (http://www.gnu.org/software/gsasl/manual/html_node/Properties.html, talking about the GSASL_GSSAPI_DISPLAY_NAME property).

Comment 3 François 2015-10-15 06:31:20 AEDT

This feature should be welcome for me too.
Is there any reason why the patches are not accepted ?

Comment 4 PatRiehecky 2017-02-07 03:51:40 AEDT

Circling back around to this bug.  Any chance this could be considered for a future release?