search for: auth_name

...on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of the user (attributes auth_name and auth_domain). If AIX user, myuser, has the attributes auth_name=someone and auth_domain=SOMEWHERE, then the Kerberos principal name would be someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the auth_domain attribute, requests are sent to to the SOMEWHERE realm instead of the de...

...instead of abusing gss_compare_name like this? I don't know how to do this using GSSAPI, but on the Kerberos side Heimdal provides the function krb5_kuserok. Dovecot could also just have a configurable file listing acceptable krb5 principals (preferably in .k5login syntax) and check that both auth_name and authz_name are in the list. Bryan Jacobs -------------- next part -------------- A non-text attachment was scrubbed... Name: authnmis2.patch Type: text/x-patch Size: 1646 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090303/4452ebb0/attachment-0004.bin&g...

...39;, 'SYSLOG_FACILITY' => '16', 'CACHE_SIZE' => '0', 'RESTRICT_GID_LAST' => '', 'TCPREMOTEIP' => '213.31.43.3', 'RESTRICT_GID_FIRST' => '', 'AUTH_NAME' => 'default', 'CACHE_TTL' => '3600', 'SERVICE' => 'IMAP', 'USERDB_1_DRIVER' => 'prefetch', 'USERNAME_CHARS' => 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456...

...on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of the user (attributes auth_name and auth_domain). If AIX user, myuser, has the attributes auth_name=someone and auth_domain=SOMEWHERE, then the Kerberos principal name would be someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the auth_domain attribute, requests are sent to to the SOMEWHERE realm instead of the de...