2032 – Local user name in krb5_kuserok call

Bug 2032 - Local user name in krb5_kuserok call

Summary: Local user name in krb5_kuserok call

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Kerberos support (show other bugs)
Version:	6.0p1
Hardware:	PPC AIX

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_6_5
	Show dependency tree / graph

Reported:	2012-08-10 22:30 AEST by Miguel Sanders
Modified:	2016-08-02 10:43 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (349 bytes, application/octet-stream) 2012-08-10 22:30 AEST, Miguel Sanders	no flags	Details
Patch (349 bytes, patch) 2012-08-10 22:31 AEST, Miguel Sanders	no flags	Details \| Diff
revised patch (564 bytes, patch) 2012-11-29 13:11 AEDT, Damien Miller	dtucker: ok+	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Miguel Sanders 2012-08-10 22:30:06 AEST

Created attachment 2179 [details]
Patch

Hi Darren

Apparently, I made a small mistake when implementing #1583 back in 5.4p1

@@ -146,7 +146,7 @@
        if (problem)
                goto out;

-       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) {
                problem = -1;
                goto out;
        }

The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client".
However, if AUTH_DOMAIN is set, "client" will be of the form USER@REALM, which breaks the call.
As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing #1583.

Can you please push the attached patch?

Thanks!

Miguel

Comment 1 Miguel Sanders 2012-08-10 22:31:07 AEST

Created attachment 2180 [details]
Patch

Comment 2 Darren Tucker 2012-08-17 10:29:26 AEST

unfortunately it's too late for 6.1 (the openbsd release is already cut) so targeting 6.2

Comment 3 Damien Miller 2012-11-29 13:11:02 AEDT

Created attachment 2195 [details]
revised patch

The reporter's patch no longer applies as there is no longer any call to krb5_kuserok() in auth1.c. I think this one is correct.

Comment 4 Damien Miller 2013-03-08 10:23:15 AEDT

retarget to openssh-6.3

Comment 5 Damien Miller 2013-07-25 12:17:17 AEST

Retarget to openssh-6.4

Comment 6 Damien Miller 2013-07-25 12:20:10 AEST

Retarget 6.3 -> 6.4

Comment 7 Damien Miller 2013-10-24 10:53:50 AEDT

applied - this will be in openssh-6.4p1. Thanks!

Comment 8 Damien Miller 2016-08-02 10:43:04 AEST

Close all resolved bugs after 7.3p1 release