zaterdag 18 augustus 2012

OpenSSH : Local user name in krb5_kuserok call

Introduction:
Currently, it is observed that OpenSSH does handle the krb5_kuserok call properly.

Impacted:
- OpenSSH <= 6.1p1

Details:
The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client". However, if AUTH_DOMAIN is set, "client" will be of the form USER@REALM, which breaks the call. As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing Bugzilla item # 1583.

Resolution:
- Bugzilla item # 2032 was created to address this issue. The item contains a patch to the source which solves the issue.