[Bug 2032] New: Local user name in krb5_kuserok call

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2032

          Priority: P5
            Bug ID: 2032
          Assignee: unassigned-bugs at mindrot.org
           Summary: Local user name in krb5_kuserok call
          Severity: normal
    Classification: Unclassified
                OS: AIX
          Reporter: miguel.sanders at uniforce.be
          Hardware: PPC
            Status: NEW
           Version: 6.0p1
         Component: Kerberos support
           Product: Portable OpenSSH

Created attachment 2179
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit
Patch

Hi Darren

Apparently, I made a small mistake when implementing #1583 back in
5.4p1

@@ -146,7 +146,7 @@
        if (problem)
                goto out;

-       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
client)) {
+       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
                problem = -1;
                goto out;
        }

The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call
verifies if principal "authctxt->krb5_user" is allowed to login as
local user "client".
However, if AUTH_DOMAIN is set, "client" will be of the form
USER at REALM, which breaks the call.
As a result, the last parameter should always be the local user name
(authctxt->pw->pw_name) as it was before implementing #1583.

Can you please push the attached patch?

Thanks!

Miguel

-- 
You are receiving this mail because:
You are watching the assignee of the bug.