openssh bugs - Apr 2009 - [Bug 1583] New: User principal name in AIX

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

           Summary: User principal name in AIX
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: miguel.sanders at arcelormittal.com
                CC: miguel.sanders at arcelormittal.com


Created an attachment (id=1621)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1621)
Patch for user principal name

I'm currently observing a rather bizarre situation when using password
based Kerberos authentication in OpenSSH on AIX.
Even though AIX can authenticate a user via Kerberos (using the KRB5A
load module), OpenSSH cannot Kerberos authenticate this user.
This is caused by the fact that the user has two attributes which
OpenSSH doesn't take into account when forming the principal name of
the user (attributes auth_name and auth_domain). 
If AIX user, myuser, has the attributes auth_name=someone and
auth_domain=SOMEWHERE, then the Kerberos principal name would be
someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the
auth_domain attribute, requests are sent to to the SOMEWHERE realm
instead of the default realm DEFAULTREALM, which is listed in the
libdefaults section of the krb5.conf configuration file. 

If I look at the code I can see the following in auth-krb5.c on line
88, which causes this behaviour:

problem = krb5_parse_name(authctxt->krb5_ctx,
authctxt->pw->pw_name,&authctxt->krb5_user);

Since authctxt->pw->pw_name contains only the user name (without a
realm), the default realm will be automatically appended according to
the documentation of the krb5_parse_name call. Since this isn't the
correct realm name (the overwritten auth_domain is the correct one),
Kerberos authentication fails. If the auth_domain attribute is not set,
the default realm name will be used.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Miguel Sanders <miguel.sanders at arcelormittal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1621|0                           |1
        is obsolete|                            |




--- Comment #1 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-04-02 16:47:00 ---
Created an attachment (id=1622)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1622)
Patch for user principal name (Unified diff)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Miguel Sanders <miguel.sanders at arcelormittal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1622|0                           |1
        is obsolete|                            |




--- Comment #2 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-04-23 21:25:27 ---
Created an attachment (id=1627)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1627)
Patch for user principal name (Unified diff)

Relocated the getuserattr code

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583





--- Comment #3 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-05-20 00:34:22 ---
Hi 

After applying the changes proposed above locally, Kerberos
authentication now runs fine in OpenSSH, in which the correct user
principal name is formed and authenticated.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Miguel Sanders <miguel.sanders at arcelormittal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1627|0                           |1
        is obsolete|                            |




--- Comment #4 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-06-25 23:47:52 ---
Created an attachment (id=1653)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1653)
Patch against CVS

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Miguel Sanders <miguel.sanders at arcelormittal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1653|0                           |1
        is obsolete|                            |




--- Comment #5 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-06-25 23:49:06 ---
Created an attachment (id=1654)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1654)
Patch against CVS

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Simon Wilkinson <simon at sxw.org.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon at sxw.org.uk




--- Comment #6 from Simon Wilkinson <simon at sxw.org.uk>  2009-07-26
23:22:33 ---
I think the general idea behind this is fine, although I don't have AIX
here to test it on.

However, please use safer string handling functions than strcpy and
strcat. Something like xasprintf() might help - you could replace all
of your current string handling with:

xasprintf(&client, "%s%s%s", 
    (authname?authname:authctxt->pw->pw_name),
    (authdomain?"@":""),
    (authdomain?authdomain:""));

or consider using the buffer routines to build the string.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1560




--- Comment #7 from Darren Tucker <dtucker at zip.com.au>  2009-07-31
11:58:39 ---
Thanks, I'll look at this for 5.3

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1654|0                           |1
        is obsolete|                            |


--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2009-08-20
20:44:24 EST ---
Created an attachment (id=1672)
Make the krb5name patch generic.

This patch is based on #1654, but it's bigger.  There's method in the
madness, honest.  The constraints are:
 - we want to keep the diffs between OpenBSD and Portable to a minimum
 - we'd prefer platform specific code in the relevant platform's file
(in this case, openbsd-compat/port-aix.c)
 - we'd any hooks to be usable by any other platforms.

So, this diff:
 - adds a platform_get_krb5_client_name in platform.c and hooks it in
to auth-krb5.c
 - moves the platform specific code into port-aix.c and adds the hooks
to enable it when appropriate.

I can only compile test this as I don't have (and in fact deny all
knowledge of) kerberos.  Please let me know if it works, or if
differnent names for the functions would be more appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583



--- Comment #9 from Miguel Sanders <miguel.sanders at arcelormittal.com>
2009-08-22 18:40:17 EST ---
Hi Darren

Thanks for your feedback.
I'll have a look at the patch and will keep you posted.

Cheers!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1560                        |1626


--- Comment #10 from Darren Tucker <dtucker at zip.com.au> 2009-09-09
10:13:35 EST ---
Retarget for 5.4 since we'll want to wrap up 5.3 soon.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

--- Comment #11 from Miguel Sanders <miguel.sanders at arcelormittal.com>
2009-10-29 23:58:00 EST ---
Hi Darren

I made some changes to the patch you provided earlier on.
Since enduserdb() will free all allocations made by the getuserattr()
call, it must be located before the actual return.
I also renamed the functions to platform_krb5_get_principal_name and
aix_krb5_get_principal_name.
Finally, since the two user attributes are standard AIX user
attributes, there is no need for an additional configure check. I
changed the platform_krb5_get_principal_name function to

char *
platform_krb5_get_principal_name(const char *pw_name)
{
#ifdef _AIX
    return aix_krb5_get_principal_name(pw_name);
#else
    return NULL;
#endif
}

Could you review the patch?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

Miguel Sanders <miguel.sanders at arcelormittal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1672|0                           |1
        is obsolete|                            |

--- Comment #12 from Miguel Sanders <miguel.sanders at arcelormittal.com>
2009-10-29 23:59:11 EST ---
Created an attachment (id=1713)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1713)
Generic patch

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

--- Comment #13 from Darren Tucker <dtucker at zip.com.au> 2009-12-10
18:26:54 EST ---
(From update of attachment 1713)
>Finally, since the two user attributes are standard AIX user
>attributes, there is no need for an additional configure check.
They're not present on old AIXes, which I still test on and currently
work, so I'm not going to remove the #ifdef
>+	} else if (authname != NULL){
>+		enduserdb();
>+		return xstrdup(authname);
This still uses authname after enduserdb.

Other than those two things it looks good, I'll attach an updated
patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

--- Comment #14 from Darren Tucker <dtucker at zip.com.au> 2009-12-10
18:30:06 EST ---
Created an attachment (id=1745)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1745)
openssh-aix-krb5.patch

Updated patch for AIX native krb5 principals.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

--- Comment #15 from Miguel Sanders <miguel.sanders at arcelormittal.com>
2009-12-10 19:01:29 EST ---
Hi Darren

Thanks for the feedback.
You are right about those two remarks.
The patch you supplied works fine.

Cheers

Miguel

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #16 from Darren Tucker <dtucker at zip.com.au> 2009-12-21
10:50:03 EST ---
Thanks, this has been commited and will be in the 5.4p1 release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1583

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #17 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
10:52:04 EST ---
With the release of 5.4p1, this bug is now considered closed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.