Should auth_krb4_password read .klogin ?
Booker C. Bense
bbense at networking.stanford.edu
Thu Nov 29 08:11:12 EST 2001
- One of Stanford's local oddities in it's kerberos deployment
is that it supports using the password of a principal in the
.klogin file to access an account. i.e. if
bbogon at IR.STANFORD.EDU
is listed in my .klogin file, the I can use bbogon's password
to log in at the console to my bbense account. We support this
where ever it makes sense ( or not...) Ssh k4 logins is one of
those places.
- Anyway, to make a long story short in the process of adding
this into auth_krb4_password I noticed that it does not check
that the created username principal is listed in the user's
.klogin file. This is a potential problem if you have a username
on your machine that is not the same person as the kerberos
principal it maps to. Unfortunately, there is no kerberos
library call that you can use at this point to access the
.klogin file ( kuserok requires an auth_dat structure.)
- At Stanford we turn this behaviour on/off with the prescence
of a flag file which is called /etc/leland/noklogin for historical
reasons. If it exists, then assume foo at IR.STANFORD.EDU is the
same as the local acct with username foo. If it's absent check
the .klogin file for the user before you grant access.
- I'll be hacking this behaviour into a local version of ssh, but
is there any interest in having these patches? The flag file
is ugly, but perhaps it could be changed to an config option.
- Booker C. Bense
More information about the openssh-unix-dev
mailing list