FreeBSD Bugzilla – Attachment 190055 Details for
Bug 225451
OpenSSH only looks for .k5login in user directory
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Option to control k5users in sshd.conf
openssh-6.6p1-GSSAPIEnablek5users.patch (text/plain), 5.58 KB, created by
Mark Felder
on 2018-01-25 15:19:46 UTC
(
hide
)
Description:
Option to control k5users in sshd.conf
Filename:
MIME Type:
Creator:
Mark Felder
Created:
2018-01-25 15:19:46 UTC
Size:
5.58 KB
patch
obsolete
>diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c >--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2017-02-09 10:10:47.403859893 +0100 >+++ openssh-7.4p1/gss-serv-krb5.c 2017-02-09 10:10:47.414859882 +0100 >@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri > FILE *fp; > char file[MAXPATHLEN]; > char line[BUFSIZ]; >- char kuser[65]; /* match krb5_kuserok() */ > struct stat st; > struct passwd *pw = the_authctxt->pw; > int found_principal = 0; >@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri > > snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); > /* If both .k5login and .k5users DNE, self-login is ok. */ >- if (!k5login_exists && (access(file, F_OK) == -1)) { >+ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) { > return ssh_krb5_kuserok(krb_context, principal, luser, > k5login_exists); > } >diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c >--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100 >+++ openssh-7.4p1/servconf.c 2017-02-09 10:18:45.800385543 +0100 >@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions > options->ip_qos_bulk = -1; > options->version_addendum = NULL; > options->use_kuserok = -1; >+ options->enable_k5users = -1; > options->fingerprint_hash = -1; > options->disable_forwarding = -1; > } >@@ -337,6 +338,8 @@ fill_default_server_options(ServerOption > options->show_patchlevel = 0; > if (options->use_kuserok == -1) > options->use_kuserok = 1; >+ if (options->enable_k5users == -1) >+ options->enable_k5users = 0; > if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) > options->fwd_opts.streamlocal_bind_mask = 0177; > if (options->fwd_opts.streamlocal_bind_unlink == -1) >@@ -418,7 +421,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, > sHostKeyAlgorithms, > sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, >- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, >+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, > sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, >@@ -497,12 +500,14 @@ static struct { > { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, > { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, > { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, >+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, > #else > { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, > { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, > { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, > { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, > #endif > { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, > { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, >@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions > intptr = &options->use_kuserok; > goto parse_flag; > >+ case sGssEnablek5users: >+ intptr = &options->enable_k5users; >+ goto parse_flag; >+ > case sPermitOpen: > arg = strdelim(&cp); > if (!arg || *arg == '\0') >@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d > M_CP_INTOPT(ip_qos_interactive); > M_CP_INTOPT(ip_qos_bulk); > M_CP_INTOPT(use_kuserok); >+ M_CP_INTOPT(enable_k5users); > M_CP_INTOPT(rekey_limit); > M_CP_INTOPT(rekey_interval); > >@@ -2319,6 +2329,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); > dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); >+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); > dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); > > /* string arguments */ >diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h >--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100 >+++ openssh-7.4p1/servconf.h 2017-02-09 10:10:47.415859881 +0100 >@@ -174,7 +174,8 @@ typedef struct { > > int num_permitted_opens; > >- int use_kuserok; >+ int use_kuserok; >+ int enable_k5users; > char *chroot_directory; > char *revoked_keys_file; > char *trusted_user_ca_keys; >diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5 >--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2017-02-09 10:10:47.415859881 +0100 >+++ openssh-7.4p1/sshd_config.5 2017-02-09 10:19:29.420336796 +0100 >@@ -633,6 +633,12 @@ Specifies whether key exchange based on > doesn't rely on ssh keys to verify host identity. > The default is > .Dq no . >+.It Cm GSSAPIEnablek5users >+Specifies whether to look at .k5users file for GSSAPI authentication >+access control. Further details are described in >+.Xr ksu 1 . >+The default is >+.Cm no . > .It Cm GSSAPIStrictAcceptorCheck > Determines whether to be strict about the identity of the GSSAPI acceptor > a client authenticates against. >diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config >--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100 >+++ openssh-7.4p1/sshd_config 2017-02-09 10:10:47.415859881 +0100 >@@ -80,6 +80,7 @@ GSSAPIAuthentication yes > GSSAPICleanupCredentials no > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no >+#GSSAPIEnablek5users no > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=190055">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225451
:
190054
| 190055 |
190056
|
190057