Introduction:
Currently, it is observed that OpenSSH does handle the krb5_kuserok call properly.
Impacted:
- OpenSSH <= 6.1p1
Details:
The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if principal "authctxt->krb5_user" is allowed to login as local user "client".
However, if AUTH_DOMAIN is set, "client" will be of the form USER@REALM, which breaks the call. As a result, the last parameter should always be the local user name (authctxt->pw->pw_name) as it was before implementing Bugzilla item # 1583.
Resolution:
- Bugzilla item # 2032 was created to address this issue. The item contains a patch to the source which solves the issue.
Abonneren op:
Reacties posten (Atom)
Geen opmerkingen:
Een reactie posten