search for: userok

http://bugzilla.mindrot.org/show_bug.cgi?id=1073 Summary: if userok rejects a user their creds still get set Product: Portable OpenSSH Version: 3.9p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at min...

...ld be added for dealing with named keys, that is, names which can be authenticated (e.g., certificate names, Kerberos principal names). The neat thing is that auth2.c:user_key_allowed() is key-type independent (so arguably it doesn't belong in auth2.c), and thus could be called from ssh_gssapi_userok() [instead of, or in addition to the GSS mechanism specific *userok() methods]. The only questions, in my mind, are - how to format key names for use in authorized_keys2? I propose starting the key blob with 'name:' followed by a possibly null mechanism name, another ':' a...

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the c...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

..._token(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_errtok(int, u_int32_t, void *); + +/* + * We only support those mechanisms that we know about (ie ones that we know + * how to check local user kuserok and the like + */ +static int +userauth_gssapi(Authctxt *authctxt) +{ + gss_OID_desc oid = {0, NULL}; + Gssctxt *ctxt = NULL; + int mechs; + gss_OID_set supported; + int present; + OM_uint32 ms; + u_int len; + char *doid = NULL; + + if (!authctxt->valid || authctxt->user == NULL) + return (0...

...oke keys! - authorized_keys2 is *much* more featureful than .klogin and .k5login are, regardless of Kerberos implementation source (KTH, Heimdal, MIT, SEAM, all implement pretty much the same all-or-nothing .klogin/.k5login functionality). A similar patch of gss-serv.c:ssh_gssapi_gsi_userok() to support the use of 'gsi' key names in authorized_keys2 would be trivial, but I cannot test GSI. A similar patch to auth-krb4.c:auth_krb4() to support the use of 'krb4' key names would be trivial, but I cannot test such a patch. A question, in my mind, is whether the krb4/gss:...