similar to: Help request: merging OpenBSD Kerberos change into Portable.

The attached patch removes the duplicated credentials cache generation code in auth-krb5.c and gss-serv-krb5.c, by turning it into a procedure which is then called by both sections of code. It's against the latest portable CVS tree. Cheers, Simon. -------------- next part -------------- Index: auth-krb5.c =================================================================== RCS file:

Here is a patch I just wrote and tested which may be of interest to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if

I'm using a OpenSSH 3.0.2p1 with the krb5 patch from <http://www.sxw.org.uk/computing/patches/openssh.html>. I'm getting KRB5CCNAME set to "" even though <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98269278629018&w=2> mentions fixing it. This causes things like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Priority: P5 Bug ID: 2032 Assignee: unassigned-bugs at mindrot.org Summary: Local user name in krb5_kuserok call Severity: normal Classification: Unclassified OS: AIX Reporter: miguel.sanders at uniforce.be Hardware: PPC Status: NEW

1/ When I access with GSSAPIAuthentication & GSSAPIDelegateCredentials the option KerberosGetAFSToken does not work. The tickets are transfered correctly because the AFS tokens are obtained if the command afslog is inserted in /etc/ssh/sshrc file. 2/ When multiple realms are defined in /etc/krb5.conf sshd uses only the first default realm for kerberos password authentication. However gssapi

please test Olaf Kirch's patch. it looks fine to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

Due to difficulties in getting PAM (with krb5) password expiry working consistently on multiple platforms, I'd like to see if I could hack something into auth-krb5.c to do so. Here's a backtrace when stopped in auth_krb5_password: #0 auth_krb5_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-krb5.c:270 #1 0x274d8 in auth_password (authctxt=0x8e148,

Hi I'm currently observing a rather bizarre situation when using password based Kerberos authentication in OpenSSH on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of

Would OpenSSH be willing to accept a modification similar to the one below to replace the kafs modification to get an AFS PAG and token? The nice features of this are that it can be compiled in even if OpenAFS is not available. At runtime if the dynamic library is present, it can be loaded and called. A dynamic lib is used so the setpag is in the same process. It has been reported that the

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Hi All, I am using libsmbclient.so (3.0.25b). But I am getting following error when I try to compile my program. Could any one of you please let me know as how should I go about resolving this error ? Thanks and Regards, Avinash g++ -g -O2 -o GenericCrwl crwl_cmdargs.o crwl_main.o crwl_crawl.o ../thirdparty/libs/libdb_cxx-4.3.so

Hello, I going to use ssh with Kerberos V5 support along with support for AFS. I don't want to use Kerberos V4 or AFS token passing. The only thing I need from AFS is creating an AFS token (using appropriate function from krb5 API) after user's authentication. It seems to me that such scenario is not much supported by the current code. Rather it is assumed only Kerberos 4 will be used

https://bugzilla.mindrot.org/show_bug.cgi?id=1583 Summary: User principal name in AIX Product: Portable OpenSSH Version: 5.2p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

Hi All. Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh. There are patches. The first [1] is a straightforward port of the OpenBSD code to Portable. The second [2] contains the parts I've stolen from Simon Wilkinson's portable GSSAPI patch in an attempt to make it build. It is incomplete and doesn't currently work. The PAM support is not there and

Hi guys, everytime I try to join my Samba 3.0 Beta 3 server to my Windows 2003 ADS domain, net puts out following error: ***** SNIP ***** [2003/08/12 14:33:48, 1] libsmb/clikrb5.c:cli_krb5_get_ticket(343) krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)net: relocation error: net: undefined symbol: krb5_cc_initialize ***** SNAP ***** This is the full level 10

As far as I know this patch has no security implications -- I don't believe that allowing sshd to use get_local_name() (in canohost.c) on a connected socket to determine it's own fqdn will allow a malicious client (or router or dns server) to make it come to the wrong conclusion. But please let me know if you think I'm wrong. Please also let me know if you're just not interested

i try to join active directory but i got this error, i cant find doc on this. please help!! #net ads join -U admin net: relocation error: net: undefined symbol: krb5_cc_initialize big thx for help!!!!!!!!!

The Kerberos V support may still fail on hosts with two or more interfaces. Regards Markus -------------- next part -------------- *** auth-krb5.c.orig Mon May 20 11:51:57 2002 --- auth-krb5.c Mon May 20 11:53:34 2002 *************** *** 38,43 **** --- 38,44 ---- #include "servconf.h" #include "uidswap.h" #include "auth.h" + #include "canohost.h"