https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Priority: P5
Bug ID: 2032
Assignee: [email protected]
Summary: Local user name in krb5_kuserok call
Severity: normal
Classification: Unclassified
OS: AIX
Reporter: [email protected]
Hardware: PPC
Status: NEW
Version: 6.0p1
Component: Kerberos support
Product: Portable OpenSSH
Created attachment 2179
--> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit
Patch
Hi Darren
Apparently, I made a small mistake when implementing #1583 back in
5.4p1
@@ -146,7 +146,7 @@
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
client)) {
+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
problem = -1;
goto out;
}
The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call
verifies if principal "authctxt->krb5_user" is allowed to login as
local user "client".
However, if AUTH_DOMAIN is set, "client" will be of the form
USER@REALM, which breaks the call.
As a result, the last parameter should always be the local user name
(authctxt->pw->pw_name) as it was before implementing #1583.
Can you please push the attached patch?
Thanks!
Miguel
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
