Created attachment 2179 [details] Patch Hi Darren Apparently, I made a small mistake when implementing #1583 back in 5.4p1 @@ -146,7 +146,7 @@ if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client". However, if AUTH_DOMAIN is set, "client" will be of the form USER@REALM, which breaks the call. As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing #1583. Can you please push the attached patch? Thanks! Miguel
Created attachment 2180 [details] Patch
unfortunately it's too late for 6.1 (the openbsd release is already cut) so targeting 6.2
Created attachment 2195 [details] revised patch The reporter's patch no longer applies as there is no longer any call to krb5_kuserok() in auth1.c. I think this one is correct.
retarget to openssh-6.3
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
applied - this will be in openssh-6.4p1. Thanks!
Close all resolved bugs after 7.3p1 release