search for: gssapi_client_name

...rv.c Thu, 05 Jul 2001 18:25:48 -0400 willian (OpenSSH/l/25_gss-serv.c 1.5 644) @@ -127,24 +127,45 @@ int ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; - int retval; + int retval, retval2; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_len = strlen(gssapi_client_name.value); + k.name_type = "krb5"; + + debug3("ssh_gssapi_krb5_userok:"); + debug3("ssh_gssapi_krb5_userok: %s", k.name_type); + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) {...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...en; +int user_key_allowed(struct passwd *, Key *); typedef struct ssh_gssapi_cred_cache { @@ -98,24 +99,39 @@ ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; int retval; + char *by; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; - + + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_type = "krb5"; + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } - if (krb5_kuserok(krb_context, princ, name)) { + + /...