miguel.sanders at arcelormittal.com
2009-Mar-27 17:29 UTC
Patch for default Kerbers realm in AIX
Hi I'm currently observing a rather bizarre situation when using password based Kerberos authentication in OpenSSH on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of the user (attributes auth_name and auth_domain). If AIX user, myuser, has the attributes auth_name=someone and auth_domain=SOMEWHERE, then the Kerberos principal name would be someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the auth_domain attribute, requests are sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the overwritten auth_domain is the correct one), Kerberos authentication fails. If the auth_domain attribute is not set, the default realm name will be used. Since this is rather new for me, I don't know what the procedure is to supply a patch for this. Any pointers? Thank you very much! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. ****
Interesting. If there are no gotchas I'm sure this is desirable for OpenSSH, but I know very little about krb5 so I can't say. miguel.sanders at arcelormittal.com wrote:> Since this is rather new for me, I don't know what the procedure is > to supply a patch for this. Any pointers?Simply send a patch to the mailing list for review and inclusion. Please make sure to check out the latest available sources from CVS and work out the patch from there. Thanks! //Peter