search for: krb5_parse_name

...= krb5_init_context(&context); if(problem) { printf("\nproblem in initialization and krb5_init_context fails\n"); exit(0); } else printf("\nNo problem in initialization and krb5_init_context succeeds\n"); } problem=krb5_parse_name(context,str,&client); if(problem) { printf("\nproblem in parsing and krb5_parse_name fails\n"); exit(0); } else printf("\nNo problem in parsing and krb5_parse_name succeeds\n"); mypassword=argv[2]; problem=krb5_get_init_creds_passw...

...domain attribute, requests are sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the co...

...+ * GSSAPI mechanisms will need their own. + * Returns true if the user is OK to log in, otherwise returns 0 + */ + +static int +ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +{ + krb5_principal princ; + int retval; + + if (ssh_gssapi_krb5_init() == 0) + return 0; + + if ((retval = krb5_parse_name(krb_context, client->exportedname.value, + &princ))) { + logit("krb5_parse_name(): %.100s", + krb5_get_err_text(krb_context, retval)); + return 0; + } + if (krb5_kuserok(krb_context, princ, name)) { + retval = 1; + logit("Authorized to %s, krb5 principal %s (krb5_...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a

...domain attribute, requests are sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the co...

...c5dcf26c0d87d9e8342d2c946e039066de29d30a Author: Jeff Layton <jlayton at samba.org> Date: Thu Mar 29 09:11:29 2012 -0400 cifs.upcall: use krb5_sname_to_principal to construct principal name Currently, we build the string by hand then then construct the principal name with krb5_parse_name. That bypasses the domain_realm section in krb5.conf however. Switch the code to use krb5_sname_to_principal instead which is more suited to this task. In order for that to work, we change a couple of calling functions to pass down a hostname instead of a principal name, an...

...@krb5_3_MIT' /net/172.17.8.206/usr/local/avinash/p4/iControl/src/subsystems/src/thirdparty/libs/libsmbclient.so: undefined reference to `krb5_kt_free_entry@krb5_3_MIT' /net/172.17.8.206/usr/local/avinash/p4/iControl/src/subsystems/src/thirdparty/libs/libsmbclient.so: undefined reference to `krb5_parse_name@krb5_3_MIT' /net/172.17.8.206/usr/local/avinash/p4/iControl/src/subsystems/src/thirdparty/libs/libsmbclient.so: undefined reference to `krb5_kt_default@krb5_3_MIT' /lib/libssl.so.6: undefined reference to `krb5_rc_initialize@krb5_3_MIT' /lib/libssl.so.6: undefined reference to `valid_ck...

...gister() Feb 11 09:20:40 mail auth: in openpam_get_option(): entering: 'auth_as_self' Feb 11 09:20:40 mail auth: in openpam_get_option(): returning NULL Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Created principal: woodsb02 Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Done krb5_parse_name() Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Got principal: woodsb02 at WOODS.AM Feb 11 09:20:40 mail auth: in pam_get_authtok(): entering Feb 11 09:20:40 mail auth: in pam_get_item(): entering: PAM_RHOST Feb 11 09:20:40 mail auth: in pam_get_item(): returning PAM_SUCCESS Feb 11 09:20:40...

...auth: in openpam_get_option(): entering: > 'auth_as_self' > Feb 11 09:20:40 mail auth: in openpam_get_option(): returning > NULL > Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Created principal: > woodsb02 > Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Done krb5_parse_name() > Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Got principal: > woodsb02 at WOODS.AM > Feb 11 09:20:40 mail auth: in pam_get_authtok(): > entering > Feb 11 09:20:40 mail auth: in pam_get_item(): entering: > PAM_RHOST > Feb 11 09:20:40 mail auth: in pam_get_item(): ret...

...ssapi_cred_cache { @@ -98,24 +99,39 @@ ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; int retval; + char *by; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; - + + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_type = "krb5"; + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } - if (krb5_kuserok(krb_context, princ, name)) { + + /* Try authorized_keys first */ + by = "authorized_keys"; + retv...

..._init() == 0) return 0; + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_len = strlen(gssapi_client_name.value); + k.name_type = "krb5"; + + debug3("ssh_gssapi_krb5_userok:"); + debug3("ssh_gssapi_krb5_userok: %s", k.name_type); + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } + + retval2 = user_key_allowed(getpwnam(name), &k); + if (retval2 < 0) { + krb5_free_principal(krb_context, princ); +...