bugzilla-daemon at mindrot.org
2012-Aug-10 12:30 UTC
[Bug 2032] New: Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Priority: P5 Bug ID: 2032 Assignee: unassigned-bugs at mindrot.org Summary: Local user name in krb5_kuserok call Severity: normal Classification: Unclassified OS: AIX Reporter: miguel.sanders at uniforce.be Hardware: PPC Status: NEW Version: 6.0p1 Component: Kerberos support Product: Portable OpenSSH Created attachment 2179 --> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit Patch Hi Darren Apparently, I made a small mistake when implementing #1583 back in 5.4p1 @@ -146,7 +146,7 @@ if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client". However, if AUTH_DOMAIN is set, "client" will be of the form USER at REALM, which breaks the call. As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing #1583. Can you please push the attached patch? Thanks! Miguel -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-10 12:31 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Miguel Sanders <miguel.sanders at uniforce.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2179|0 |1 is obsolete| | --- Comment #1 from Miguel Sanders <miguel.sanders at uniforce.be> --- Created attachment 2180 --> https://bugzilla.mindrot.org/attachment.cgi?id=2180&action=edit Patch -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-17 00:28 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Aug-17 00:29 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2035 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- unfortunately it's too late for 6.1 (the openbsd release is already cut) so targeting 6.2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-29 02:11 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2195| |ok?(dtucker at zip.com.au) Flags| | Attachment #2180|0 |1 is obsolete| | --- Comment #3 from Damien Miller <djm at mindrot.org> --- Created attachment 2195 --> https://bugzilla.mindrot.org/attachment.cgi?id=2195&action=edit revised patch The reporter's patch no longer applies as there is no longer any call to krb5_kuserok() in auth1.c. I think this one is correct. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-07 23:21 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2076 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-07 23:23 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2035 | --- Comment #4 from Damien Miller <djm at mindrot.org> --- retarget to openssh-6.3 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:17 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2130 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-6.4 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:20 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2076 | --- Comment #6 from Damien Miller <djm at mindrot.org> --- Retarget 6.3 -> 6.4 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-23 23:50 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2195|ok?(dtucker at zip.com.au) |ok+ Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-23 23:53 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |djm at mindrot.org Resolution|--- |FIXED --- Comment #7 from Damien Miller <djm at mindrot.org> --- applied - this will be in openssh-6.4p1. Thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:43 UTC
[Bug 2032] Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- PATCH: krb4/krb5/... names/patterns in auth_keys entries
- Help request: merging OpenBSD Kerberos change into Portable.
- OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
- openssh & kerberos difficulties
- [PATCH] Simplify Kerberos credentials cache code