Created attachment 190054 [details] k5login_directory patch RedHat patched this. It would be nice if we did the same: https://bugzilla.redhat.com/show_bug.cgi?id=1328243 They give the ability to *disable* this feature entirely, which is what I was trying to do, as well as added some extra safetybelts. Attaching relevant patches that RedHat has cooked up for Kerberos.
Created attachment 190055 [details] Option to control k5users in sshd.conf
Created attachment 190056 [details] restore the usage of krb5_kuserok() so that localauth plugins can be used
Created attachment 190057 [details] additional .k5users and .k5login checks to compliment previous patches
This also breaks gssapi-with-mic if your user homedir is locked down with mode 700.
The current behavior is consistent with krb5. https://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5login.html Could the RH patches be an option in the security/openssh-portable port?
(In reply to Cy Schubert from comment #5) Cy, apologies for opening an old bug: this is a supported feature in mit krb5: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#krb5-conf-5 In our case, we'd want to deny users the ability to use their own k5login, such that you only required a "special" auth token (like user/ssh@DOMAIN.COM) It seems a valid use case for this. -Dan
(In reply to Dan Mahoney from comment #6) OpenSSH in base uses Heimdal, not MIT. Heimdal does not necessarily support all MIT features. And, our Heimdal is 1.5. I am working on replacing it with 7.7.0 (unfortunately there is a serious regression). We should not add any custom patches to our ancient Heimdal until this work complete because any new patches may not be ported over. Have you tried opessh-portable using the MIT port?