Should auth_krb4_password read .klogin ?

John Hawkinson jhawk at MIT.EDU
Thu Nov 29 12:05:27 EST 2001


Booker C. Bense <bbense at networking.stanford.edu> wrote on Wed, 28 Nov 2001
at 16:11:59 -0800 in <Pine.GSO.4.33.0111281600390.12915-100000 at shred.stanford.edu>:


> - You're misunderstanding what I'm offering. IMHO, it's a misfeature
> of openssh to ignore the .klogin entries when accepting kerberos
> logins via password.

Ah. Right, indeed, I thought you were referring to the alternate
login principals thing.

> No other kerberos software does this.

Hmm. I guess I'm not under this impression. My reading of,
for instance, the kth-krb4 login program doesn't show me any
sign of this checking of password entries against the .klogin file.

Orally inquiring of somebody else, he suggests that this feature
might be present in Derrick Brashear's krb4 PAM support.



But of this regardless, I agree it makes sense, otherwise a local
machine's administrator has no way to prevent a kerberos administrator
from logging into any account on his machine.

> - This doesn't work in the current code, but for any local acct
> that has a non-zero uid it does.

*nod*.

> - I agree that reading .klogin for alternative login principals
...
> However, I am not offering those patches.

OK. Sorry about the confusion.

> - As far as contributing our local wierdnesses to MIT's k5 code,
> I have done quite a bit of that, but some things they just refuse
> to swallow. %-).

Umm, yeah.

Isn't this an issue for krb5, too, though, in ssh? I don't see a call
to krb5_kuserok() in auth_krb5_password(), and since there's no
requirement for anything other than a krb5_context, it should be pretty
easy. And we should fix it at the same time. No?

It seems that this is a problem with the sample stuff in MIT krb5,
e.g. appl/bsd/login.c; nor does Heimdal deal with it in
appl/login/login.c.

Eww. Who wants to take this up with them?

--jhawk



More information about the openssh-unix-dev mailing list