bugzilla-daemon at mindrot.org
2012-Aug-10 12:30 UTC
[Bug 2032] New: Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Priority: P5
Bug ID: 2032
Assignee: unassigned-bugs at mindrot.org
Summary: Local user name in krb5_kuserok call
Severity: normal
Classification: Unclassified
OS: AIX
Reporter: miguel.sanders at uniforce.be
Hardware: PPC
Status: NEW
Version: 6.0p1
Component: Kerberos support
Product: Portable OpenSSH
Created attachment 2179
--> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit
Patch
Hi Darren
Apparently, I made a small mistake when implementing #1583 back in
5.4p1
@@ -146,7 +146,7 @@
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
client)) {
+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
problem = -1;
goto out;
}
The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call
verifies if principal "authctxt->krb5_user" is allowed to login as
local user "client".
However, if AUTH_DOMAIN is set, "client" will be of the form
USER at REALM, which breaks the call.
As a result, the last parameter should always be the local user name
(authctxt->pw->pw_name) as it was before implementing #1583.
Can you please push the attached patch?
Thanks!
Miguel
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-10 12:31 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Miguel Sanders <miguel.sanders at uniforce.be> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2179|0 |1
is obsolete| |
--- Comment #1 from Miguel Sanders <miguel.sanders at uniforce.be> ---
Created attachment 2180
--> https://bugzilla.mindrot.org/attachment.cgi?id=2180&action=edit
Patch
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-17 00:28 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-17 00:29 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2035
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
unfortunately it's too late for 6.1 (the openbsd release is already
cut) so targeting 6.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-29 02:11 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2195| |ok?(dtucker at zip.com.au)
Flags| |
Attachment #2180|0 |1
is obsolete| |
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 2195
--> https://bugzilla.mindrot.org/attachment.cgi?id=2195&action=edit
revised patch
The reporter's patch no longer applies as there is no longer any call
to krb5_kuserok() in auth1.c. I think this one is correct.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-07 23:21 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2076
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-07 23:23 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2035 |
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
retarget to openssh-6.3
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:17 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2130
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-6.4
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:20 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2076 |
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Retarget 6.3 -> 6.4
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-23 23:50 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2195|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-23 23:53 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |djm at mindrot.org
Resolution|--- |FIXED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
applied - this will be in openssh-6.4p1. Thanks!
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:43 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- PATCH: krb4/krb5/... names/patterns in auth_keys entries
- Help request: merging OpenBSD Kerberos change into Portable.
- OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
- openssh & kerberos difficulties
- [PATCH] Simplify Kerberos credentials cache code