Bug 225451 - OpenSSH only looks for .k5login in user directory
Summary: OpenSSH only looks for .k5login in user directory
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2018-01-25 15:18 UTC by Mark Felder
Modified: 2018-05-16 00:48 UTC (History)
3 users (show)

See Also:


Attachments
k5login_directory patch (2.56 KB, patch)
2018-01-25 15:18 UTC, Mark Felder
no flags Details | Diff
Option to control k5users in sshd.conf (5.58 KB, patch)
2018-01-25 15:19 UTC, Mark Felder
no flags Details | Diff
restore the usage of krb5_kuserok() so that localauth plugins can be used (13.02 KB, patch)
2018-01-25 15:22 UTC, Mark Felder
no flags Details | Diff
additional .k5users and .k5login checks to compliment previous patches (8.24 KB, patch)
2018-01-25 15:24 UTC, Mark Felder
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Felder freebsd_committer 2018-01-25 15:18:55 UTC
Created attachment 190054 [details]
k5login_directory patch

RedHat patched this. It would be nice if we did the same:

https://bugzilla.redhat.com/show_bug.cgi?id=1328243


They give the ability to *disable* this feature entirely, which is what I was trying to do, as well as added some extra safetybelts.

Attaching relevant patches that RedHat has cooked up for Kerberos.
Comment 1 Mark Felder freebsd_committer 2018-01-25 15:19:46 UTC
Created attachment 190055 [details]
Option to control k5users in sshd.conf
Comment 2 Mark Felder freebsd_committer 2018-01-25 15:22:05 UTC
Created attachment 190056 [details]
restore the usage of krb5_kuserok() so that localauth plugins can be used
Comment 3 Mark Felder freebsd_committer 2018-01-25 15:24:54 UTC
Created attachment 190057 [details]
additional .k5users and .k5login checks to compliment previous patches
Comment 4 Mark Felder freebsd_committer 2018-03-30 14:47:06 UTC
This also breaks gssapi-with-mic if your user homedir is locked down with mode 700.
Comment 5 Cy Schubert freebsd_committer 2018-05-16 00:48:31 UTC
The current behavior is consistent with krb5.

https://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5login.html

Could the RH patches be an option in the security/openssh-portable port?