Bug 225451

Summary: OpenSSH only looks for .k5login in user directory
Product: Base System Reporter: Mark Felder <feld>
Component: binAssignee: freebsd-bugs mailing list <bugs>
Status: New ---    
Severity: Affects Many People CC: cy, des, emaste
Priority: --- Keywords: patch, security
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
k5login_directory patch
none
Option to control k5users in sshd.conf
none
restore the usage of krb5_kuserok() so that localauth plugins can be used
none
additional .k5users and .k5login checks to compliment previous patches none

Description Mark Felder freebsd_committer 2018-01-25 15:18:55 UTC
Created attachment 190054 [details]
k5login_directory patch

RedHat patched this. It would be nice if we did the same:

https://bugzilla.redhat.com/show_bug.cgi?id=1328243


They give the ability to *disable* this feature entirely, which is what I was trying to do, as well as added some extra safetybelts.

Attaching relevant patches that RedHat has cooked up for Kerberos.
Comment 1 Mark Felder freebsd_committer 2018-01-25 15:19:46 UTC
Created attachment 190055 [details]
Option to control k5users in sshd.conf
Comment 2 Mark Felder freebsd_committer 2018-01-25 15:22:05 UTC
Created attachment 190056 [details]
restore the usage of krb5_kuserok() so that localauth plugins can be used
Comment 3 Mark Felder freebsd_committer 2018-01-25 15:24:54 UTC
Created attachment 190057 [details]
additional .k5users and .k5login checks to compliment previous patches
Comment 4 Mark Felder freebsd_committer 2018-03-30 14:47:06 UTC
This also breaks gssapi-with-mic if your user homedir is locked down with mode 700.
Comment 5 Cy Schubert freebsd_committer 2018-05-16 00:48:31 UTC
The current behavior is consistent with krb5.

https://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5login.html

Could the RH patches be an option in the security/openssh-portable port?