|Summary:||OpenSSH only looks for .k5login in user directory|
|Product:||Base System||Reporter:||Mark Felder <feld>|
|Component:||bin||Assignee:||freebsd-bugs (Nobody) <bugs>|
|Severity:||Affects Many People||CC:||cy, des, emaste|
Description Mark Felder 2018-01-25 15:18:55 UTC
Created attachment 190054 [details] k5login_directory patch RedHat patched this. It would be nice if we did the same: https://bugzilla.redhat.com/show_bug.cgi?id=1328243 They give the ability to *disable* this feature entirely, which is what I was trying to do, as well as added some extra safetybelts. Attaching relevant patches that RedHat has cooked up for Kerberos.
Comment 1 Mark Felder 2018-01-25 15:19:46 UTC
Created attachment 190055 [details] Option to control k5users in sshd.conf
Comment 2 Mark Felder 2018-01-25 15:22:05 UTC
Created attachment 190056 [details] restore the usage of krb5_kuserok() so that localauth plugins can be used
Comment 3 Mark Felder 2018-01-25 15:24:54 UTC
Created attachment 190057 [details] additional .k5users and .k5login checks to compliment previous patches
Comment 4 Mark Felder 2018-03-30 14:47:06 UTC
This also breaks gssapi-with-mic if your user homedir is locked down with mode 700.
Comment 5 Cy Schubert 2018-05-16 00:48:31 UTC
The current behavior is consistent with krb5. https://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5login.html Could the RH patches be an option in the security/openssh-portable port?