Created attachment 1621 [details] Patch for user principal name I'm currently observing a rather bizarre situation when using password based Kerberos authentication in OpenSSH on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of the user (attributes auth_name and auth_domain). If AIX user, myuser, has the attributes auth_name=someone and auth_domain=SOMEWHERE, then the Kerberos principal name would be someone@SOMEWHERE instead of myuser@DEFAULTREALM. By using the auth_domain attribute, requests are sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the overwritten auth_domain is the correct one), Kerberos authentication fails. If the auth_domain attribute is not set, the default realm name will be used.
Created attachment 1622 [details] Patch for user principal name (Unified diff)
Created attachment 1627 [details] Patch for user principal name (Unified diff) Relocated the getuserattr code
Hi After applying the changes proposed above locally, Kerberos authentication now runs fine in OpenSSH, in which the correct user principal name is formed and authenticated.
Created attachment 1653 [details] Patch against CVS
Created attachment 1654 [details] Patch against CVS
I think the general idea behind this is fine, although I don't have AIX here to test it on. However, please use safer string handling functions than strcpy and strcat. Something like xasprintf() might help - you could replace all of your current string handling with: xasprintf(&client, "%s%s%s", (authname?authname:authctxt->pw->pw_name), (authdomain?"@":""), (authdomain?authdomain:"")); or consider using the buffer routines to build the string.
Thanks, I'll look at this for 5.3
Created attachment 1672 [details] Make the krb5name patch generic. This patch is based on #1654, but it's bigger. There's method in the madness, honest. The constraints are: - we want to keep the diffs between OpenBSD and Portable to a minimum - we'd prefer platform specific code in the relevant platform's file (in this case, openbsd-compat/port-aix.c) - we'd any hooks to be usable by any other platforms. So, this diff: - adds a platform_get_krb5_client_name in platform.c and hooks it in to auth-krb5.c - moves the platform specific code into port-aix.c and adds the hooks to enable it when appropriate. I can only compile test this as I don't have (and in fact deny all knowledge of) kerberos. Please let me know if it works, or if differnent names for the functions would be more appropriate.
Hi Darren Thanks for your feedback. I'll have a look at the patch and will keep you posted. Cheers!
Retarget for 5.4 since we'll want to wrap up 5.3 soon.
Hi Darren I made some changes to the patch you provided earlier on. Since enduserdb() will free all allocations made by the getuserattr() call, it must be located before the actual return. I also renamed the functions to platform_krb5_get_principal_name and aix_krb5_get_principal_name. Finally, since the two user attributes are standard AIX user attributes, there is no need for an additional configure check. I changed the platform_krb5_get_principal_name function to char * platform_krb5_get_principal_name(const char *pw_name) { #ifdef _AIX return aix_krb5_get_principal_name(pw_name); #else return NULL; #endif } Could you review the patch?
Created attachment 1713 [details] Generic patch
Comment on attachment 1713 [details] Generic patch >Finally, since the two user attributes are standard AIX user >attributes, there is no need for an additional configure check. They're not present on old AIXes, which I still test on and currently work, so I'm not going to remove the #ifdef >+ } else if (authname != NULL){ >+ enduserdb(); >+ return xstrdup(authname); This still uses authname after enduserdb. Other than those two things it looks good, I'll attach an updated patch.
Created attachment 1745 [details] openssh-aix-krb5.patch Updated patch for AIX native krb5 principals.
Hi Darren Thanks for the feedback. You are right about those two remarks. The patch you supplied works fine. Cheers Miguel
Thanks, this has been commited and will be in the 5.4p1 release.
With the release of 5.4p1, this bug is now considered closed.