onsdag den 8 augusti 2012 klockan 12:39 skrev Simon Josefsson detta: > Mats Erik Andersson <[email protected]> writes: > > Thank you! Patch applied. > > > * No falling back to other authentication types, as this would > > consitute a security breach in itself. > > I think you refer to the case where there is no .k5login file. I recall > that MIT/Heimdal fall back on a strcmp-like approach in this situation, > doesn't it? If the file doesn't exist, I think the semantics in > MIT/Heimdal is that if your principal matches the username, you are let > in. Please check this and followup.
My preferred interpretation is that shishi_authorize_p (h, "k5login"); should only set authorization type "k5login", nothing more, nothing less. Allowing the fall back is equivalent to make the above call be equal to shishi_authorize_p (h, "k5login basic"); I find it important to be able to enforce a distinction here. Best regards, Mats E A _______________________________________________ Help-shishi mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-shishi
