openssh bugs - Jan 2013 - [Bug 2063] New: RFE: export principal which was used for .k5login

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

            Bug ID: 2063
           Summary: RFE: export principal which was used for .k5login
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: enrico.scholz at sigma-chemnitz.de

It would be nice to have information which principal was used for log
in 
via .k5login.  E.g. 'gitolite' uses by default ssh public keys (where
real identity can be easily recorded by environment/commands in
~/.ssh/authorized_keys) and it will be trivial to implement a similar
mechanism for kerberos auth, when original principal is exported
somehow.

A patch is available at

http://geggus.net/sven/blogfiles/GSS_AUTH_KRB5_PRINC-env4openssh.diff


See

http://blog.gegg.us/2012/07/using-gitolite-with-kerberos-authentication/
https://groups.google.com/forum/?fromgroups=#!topic/comp.protocols.kerberos/6b7tSA-og0k

for some more discussions.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

Anders Kaseorg <andersk at mit.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andersk at mit.edu

--- Comment #1 from Anders Kaseorg <andersk at mit.edu> ---
For scripts.mit.edu we wrote this patch that doesn?t specifically
depend on PAM or krb5:

https://scripts.mit.edu/trac/browser/trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

Karl Kornel <akkornel at stanford.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |akkornel at stanford.edu

--- Comment #2 from Karl Kornel <akkornel at stanford.edu> ---
Created attachment 2580
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2580&action=edit
Patch from openssh-portable tree at commit e7bf3a5eda

I've also got a patch for this.  This patch was made from the current
openssh-portable tree, as of commit e7bf3a5eda.

This patch introduces a new option, GSSAPISetEnv.  By default, the
option is disabled.  If the option is enabled, then the environment
variable SSH_GSSAPI_DISPLAYNAME will be set when the user authenticates
using GSSAPI.  The environment variable is also made available to the
PAM environment, if PAM is enabled.

In my case, I went for the GSSAPI display name because I saw it was
being used in debug messages (gss-serv-krb5.c lines 104-105).  I also
saw the display name being made available in gsasl
(http://www.gnu.org/software/gsasl/manual/html_node/Properties.html,
talking about the GSASL_GSSAPI_DISPLAY_NAME property).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

Fran?ois <fccagou at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fccagou at gmail.com

--- Comment #3 from Fran?ois <fccagou at gmail.com> ---
This feature should be welcome for me too.
Is there any reason why the patches are not accepted ?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

PatRiehecky <jcpunk at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jcpunk at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2063

--- Comment #4 from PatRiehecky <jcpunk at gmail.com> ---
Circling back around to this bug.  Any chance this could be considered
for a future release?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.