https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Priority: P5
Bug ID: 2032
Assignee: unassigned-b...@mindrot.org
Summary: Local user name in krb5_kuserok call
Severity: normal
Classification: Unclassified
OS: AIX
Reporter: miguel.sand...@uniforce.be
Hardware: PPC
Status: NEW
Version: 6.0p1
Component: Kerberos support
Product: Portable OpenSSH
Created attachment 2179
-- https://bugzilla.mindrot.org/attachment.cgi?id=2179action=edit
Patch
Hi Darren
Apparently, I made a small mistake when implementing #1583 back in
5.4p1
@@ -146,7 +146,7 @@
if (problem)
goto out;
- if (!krb5_kuserok(authctxt-krb5_ctx, authctxt-krb5_user,
client)) {
+ if (!krb5_kuserok(authctxt-krb5_ctx, authctxt-krb5_user,
authctxt-pw-pw_name)) {
problem = -1;
goto out;
}
The krb5_kuserok(authctxt-krb5_ctx, authctxt-krb5_user, client) call
verifies if principal authctxt-krb5_user is allowed to login as
local user client.
However, if AUTH_DOMAIN is set, client will be of the form
USER@REALM, which breaks the call.
As a result, the last parameter should always be the local user name
(authctxt-pw-pw_name) as it was before implementing #1583.
Can you please push the attached patch?
Thanks!
Miguel
--
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
