search for: ssh_gssapi_krb5_userok

Signed-off-by: Johannes L?thberg <johannes at kyriasis.com> --- gss-serv-krb5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 795992d9..a12bb244 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -- 2.11.0

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...#39;krb4' key names would be trivial, but I cannot test such a patch. A question, in my mind, is whether the krb4/gss:krb5/gss:gsi ssh_*userok() code should require both, authorized_keys2 check *and* the underlying mechanism userok() check to succeed, or either, or what. My patch to gss-serv.c:ssh_gssapi_krb5_userok() requires either check to succeed. Below you should find two versions of this patch, one against OpenSSH 2.9p2, the other against 2.9p2 + Simon Wilkinson's GSS-API patches (*). NOTE: I did not strive too hard to keep to the code style of OpenSSH. Point me a the description of the OpenS...

...kyriasis.com> >>--- >> gss-serv-krb5.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >>diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c >>index 795992d9..a12bb244 100644 >>--- a/gss-serv-krb5.c >>+++ b/gss-serv-krb5.c >>@@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) >> } else >> retval = 0; >>+#ifdef USE_PAM >>+ if (options.use_pam) >>+ do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); >>+#endif >>+ >> krb5_free_principal(krb_context, pr...

...rising The reason is that kuserok is called right at the end of auth, the creds have been forwarded and sshd is ready to set up the logged in users' envirnment; ten right at the last moment we decide not to allow gss to work - but sshd still stores the creds it has one line fix to this. In ssh_gssapi_krb5_userok, after failure do krb5_free_creds(krb_context, client->creds); this blows the forwarded creds away and so storecreds (called later ) does nothing ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...- sshd.8 - added documentation for new key types and the new auth_keys option - auth-krb4.c - modified auth_krb4() to build a Key struct and call user_key_allowed() - auth-krb5.c - modified auth_krb5() to build a Key struct and call user_key_allowed() - gss-serv.c - modified ssh_gssapi_krb5_userok() to build a Key struct and call user_key_allowed() Comments? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- -------------- next part -------------- Index...

...initialize krb5 context"); + return 0; + } + krb5_init_ets(krb_context); + + return 1; +} + +/* Check if this user is OK to login. This only works with krb5 - other + * GSSAPI mechanisms will need their own. + * Returns true if the user is OK to log in, otherwise returns 0 + */ + +static int +ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +{ + krb5_principal princ; + int retval; + + if (ssh_gssapi_krb5_init() == 0) + return 0; + + if ((retval = krb5_parse_name(krb_context, client->exportedname.value, + &princ))) { + logit("krb5_parse_name(): %.100s", + krb5_get_err_t...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |