Should auth_krb4_password read .klogin ?

Booker C. Bense bbense at networking.stanford.edu
Fri Nov 30 08:43:07 EST 2001


On Wed, 28 Nov 2001, John Hawkinson wrote:

> Booker C. Bense <bbense at networking.stanford.edu> wrote on Wed, 28 Nov 2001
> at 16:11:59 -0800 in <Pine.GSO.4.33.0111281600390.12915-100000 at shred.stanford.edu>:
>
>
> > - You're misunderstanding what I'm offering. IMHO, it's a misfeature
> > of openssh to ignore the .klogin entries when accepting kerberos
> > logins via password.
>
>
> But of this regardless, I agree it makes sense, otherwise a local
> machine's administrator has no way to prevent a kerberos administrator
> from logging into any account on his machine.

- I've attached the patch for auth-krb4.c

>
> OK. Sorry about the confusion.
>
> > - As far as contributing our local wierdnesses to MIT's k5 code,
> > I have done quite a bit of that, but some things they just refuse
> > to swallow. %-).
>
> Umm, yeah.
>
> Isn't this an issue for krb5, too, though, in ssh?

- From what I can see yes, it's a problem. The krb5 code that's
in the latest release is heimdal only as far I can tell. Since
the krb5 code not enabled and should really use Simon's patches
I don't want to mess with it until I'm sure it's the right code.

>
> It seems that this is a problem with the sample stuff in MIT krb5,
> e.g. appl/bsd/login.c; nor does Heimdal deal with it in
> appl/login/login.c.
>
> Eww. Who wants to take this up with them?
>

- I have a bunch of login.c patches I've been meaning to send in.
I'll make sure this gets on the list.

- Booker C. Bense
-------------- next part --------------
Index: auth-krb4.c
===================================================================
RCS file: /afs/ir/dev/cvs/kerberos/openssh/auth-krb4.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 auth-krb4.c
--- auth-krb4.c	2001/10/01 18:18:44	1.1.1.1
+++ auth-krb4.c	2001/11/29 00:16:58
@@ -164,6 +311,12 @@
 				    KRB4_SERVICE_NAME, krb_err_txt[r]);
 				goto failure;
 			}
+			/* Now use adata to verify that user can login to acct */ 
+			if (kuserok(&adata, pw->pw_name) != KSUCCESS) {
+				log("Kerberos v4 .klogin authorization failed for %s@%s to "
+				    "account %s",adata.pname,adata.prealm , pw->pw_name);
+				goto failure ; 
+			}
 		} else if (r == KDC_PR_UNKNOWN) {
 			/*
 			 * Disallow login if no rcmd service exists, and



More information about the openssh-unix-dev mailing list