[Bug 1583] New: User principal name in AIX
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Apr 2 16:37:44 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1583
Summary: User principal name in AIX
Product: Portable OpenSSH
Version: 5.2p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: miguel.sanders at arcelormittal.com
CC: miguel.sanders at arcelormittal.com
Created an attachment (id=1621)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1621)
Patch for user principal name
I'm currently observing a rather bizarre situation when using password
based Kerberos authentication in OpenSSH on AIX.
Even though AIX can authenticate a user via Kerberos (using the KRB5A
load module), OpenSSH cannot Kerberos authenticate this user.
This is caused by the fact that the user has two attributes which
OpenSSH doesn't take into account when forming the principal name of
the user (attributes auth_name and auth_domain).
If AIX user, myuser, has the attributes auth_name=someone and
auth_domain=SOMEWHERE, then the Kerberos principal name would be
someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the
auth_domain attribute, requests are sent to to the SOMEWHERE realm
instead of the default realm DEFAULTREALM, which is listed in the
libdefaults section of the krb5.conf configuration file.
If I look at the code I can see the following in auth-krb5.c on line
88, which causes this behaviour:
problem = krb5_parse_name(authctxt->krb5_ctx,
authctxt->pw->pw_name,&authctxt->krb5_user);
Since authctxt->pw->pw_name contains only the user name (without a
realm), the default realm will be automatically appended according to
the documentation of the krb5_parse_name call. Since this isn't the
correct realm name (the overwritten auth_domain is the correct one),
Kerberos authentication fails. If the auth_domain attribute is not set,
the default realm name will be used.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list