search for: krb5_user

...--> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit Patch Hi Darren Apparently, I made a small mistake when implementing #1583 back in 5.4p1 @@ -146,7 +146,7 @@ if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt-&...

...uthctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; - problem = krb5_cc_initialize(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache, authctxt->krb5_user); + problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, + authctxt->krb5_user); if (problem) goto out; restore_uid(); + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->krb5_fwd_ccache, password, 1, NULL); + ccache, password, 1...

...password authentication. However gssapi access works with multiple default realms, at least for HEIMDAL. It should be fine if sshd uses all default realms or all realms defined in /etc/krb5.conf. For HEIMDAL I replaced the line "problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL);" by a line "problem = krb5_verify_user_lrealm(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL);" in the file auth-krb5.c and the Kerberos password authentication takes into account all locally defined realms in /etc/krb5.conf f...

...- added documentation for new key types and the new auth_keys option - auth-krb4.c - modified auth_krb4() to build a Key struct and call user_key_allowed() - auth-krb5.c - modified auth_krb5() to build a Key struct and call user_key_allowed() - gss-serv.c - modified ssh_gssapi_krb5_userok() to build a Key struct and call user_key_allowed() Comments? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- -------------- next part -------------- Ind...

...280 #5 0x1aaac in privsep_preauth () at sshd.c:603 #6 0x1d45c in main (ac=3, av=0xffbefaac) at sshd.c:1497 At first, I simply tried to add the stock Kerberos prompter to krb5_get_init_creds_password: problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, authctxt->krb5_user, (char *)password, krb5_prompter_posix, NULL, 0, NULL, NULL); however, this returned KRB5_LIBOS_CANTREADPWD due to the fact that fds 0 and 1 are closed and not connected to a socket.

...rrect) Failed password for <user> from <ip> port <port> ssh2 -- I had a look at the responsible source code in auth-krb5.c. By doing some debugging there I found out that the following code fragment fails: auth-krb5.c:137 --- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } --- When I comment out this if-block then I can login using OpenSSH's internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME. I'm not that involved into kerberos on the coding side. What does the krb5_kus...

...realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the overwritten auth_domain is the correct one), Kerberos aut...

..._resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); - if (problem) - goto out; + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, authctxt->krb5_user); @@ -234,4 +210,31 @@ } } +#ifndef HEIMDAL +krb5_error_code +ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + int tmpfd; + char ccname[40]; + mode_t old_umask; + + snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); + + old_umask = umask(0177); + tmpfd...

...uthctxt); if (problem) @@ -131,7 +130,7 @@ /* if client wants mutual auth */ problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, - &reply); + reply); if (problem) goto err; @@ -144,19 +143,16 @@ krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, client); - packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) reply.data, reply.length); - packet_send(); - packet_write_wait(); - ret = 1; err: if (server) krb5_free_principal(authctxt->krb5_ctx, server); if (ticket) krb5_free_ticket(authctxt-&gt...

...realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the overwritten auth_domain is the correct one), Kerberos aut...

...================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h 10 Aug 2003 14:06:43 -0000 1.1.1.2 +++ auth.h 10 Aug 2003 14:25:01 -0000 1.3 @@ -67,6 +67,7 @@ krb5_principal krb5_user; char *krb5_ticket_file; #endif + void *methoddata; }; /* * Every authentication method has to handle authentication requests for Index: auth2-gss.c =================================================================== RCS file: auth2-gss.c diff -N auth2-gss.c --- /dev/null 1 Jan 1970 00:00:...