Mats Erik Andersson <[email protected]> writes: > The present code for the authorization type "k5login" > contains serious security issues, should it have been > possible to activate it. Fortunately, the code does > not even construct the path "$HOME/.k5login" correctly, > so the code will never get into action! > > The present patch addresses "lib/authorize.c" on the following > points of importance:
Thank you! Patch applied. > * No falling back to other authentication types, as this would > consitute a security breach in itself. I think you refer to the case where there is no .k5login file. I recall that MIT/Heimdal fall back on a strcmp-like approach in this situation, doesn't it? If the file doesn't exist, I think the semantics in MIT/Heimdal is that if your principal matches the username, you are let in. Please check this and followup. /Simon _______________________________________________ Help-shishi mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-shishi
