[Bug 1583] New: User principal name in AIX

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Apr 2 16:37:44 EST 2009


           Summary: User principal name in AIX
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: miguel.sanders at arcelormittal.com
                CC: miguel.sanders at arcelormittal.com

Created an attachment (id=1621)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1621)
Patch for user principal name

I'm currently observing a rather bizarre situation when using password
based Kerberos authentication in OpenSSH on AIX.
Even though AIX can authenticate a user via Kerberos (using the KRB5A
load module), OpenSSH cannot Kerberos authenticate this user.
This is caused by the fact that the user has two attributes which
OpenSSH doesn't take into account when forming the principal name of
the user (attributes auth_name and auth_domain). 
If AIX user, myuser, has the attributes auth_name=someone and
auth_domain=SOMEWHERE, then the Kerberos principal name would be
someone at SOMEWHERE instead of myuser at DEFAULTREALM. By using the
auth_domain attribute, requests are sent to to the SOMEWHERE realm
instead of the default realm DEFAULTREALM, which is listed in the
libdefaults section of the krb5.conf configuration file. 

If I look at the code I can see the following in auth-krb5.c on line
88, which causes this behaviour:

problem = krb5_parse_name(authctxt->krb5_ctx,

Since authctxt->pw->pw_name contains only the user name (without a
realm), the default realm will be automatically appended according to
the documentation of the krb5_parse_name call. Since this isn't the
correct realm name (the overwritten auth_domain is the correct one),
Kerberos authentication fails. If the auth_domain attribute is not set,
the default realm name will be used.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list