search for: gss_compare_nam

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name. If I...

...e been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at: http://dovecot.org/pipermail/dovecot/2005-October/009615.html While everything within that message is true, as things stand, Dovecot is unusable in a cross-realm environment. When cross-realm tickets are used, the authn_name is "username at REALM" a...

...n, I used the krb5_userok() function. So if you're using a mechanism other than krb5 this won't work. But it's the same thing that OpenSSH and the apps distributed with heimdal do, so it seemed relatively safe. I also choose to append the krb5_userok() check rather than replace the gss_compare_name() check -- that way same-realm auth works for non-krb5 mechanisms, and my new code doesn't get called unless the same-realm check fails. If you don't care about other mechanisms it would be faster to bypass the gss_compare_name() check entirely. If this is something you'd like to m...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

..._context_token.c Compiling heimdal/lib/gssapi/mech/gss_buffer_set.c Compiling heimdal/lib/gssapi/mech/gss_aeap.c Compiling heimdal/lib/gssapi/mech/gss_add_cred.c Compiling heimdal/lib/gssapi/mech/gss_cred.c Compiling heimdal/lib/gssapi/mech/gss_add_oid_set_member.c Compiling heimdal/lib/gssapi/mech/gss_compare_name.c Compiling heimdal/lib/gssapi/mech/gss_release_oid_set.c Compiling heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c Compiling heimdal/lib/gssapi/mech/gss_decapsulate_token.c Compiling heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c Compiling heimdal/lib/gssapi/mech/gss_canonicalize_name.c Com...