115001 – openssh & kerberos multiple realms problems

Bug 115001 - openssh & kerberos multiple realms problems

Summary: openssh & kerberos multiple realms problems

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-12-09 10:21 UTC by M Grundman
Modified:	2006-02-07 21:24 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description M Grundman 2005-12-09 10:21:22 UTC

When multiple realms are defined in /etc/krb5.conf sshd uses only the first
default realm for kerberos password authentication. However gssapi access works
with multiple default realms, at least for HEIMDAL. It should be fine if sshd
uses all default realms or all realms defined in /etc/krb5.conf.

For HEIMDAL I replaced the line 

"problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache,
password, 1, NULL);"

by a line 

"problem = krb5_verify_user_lrealm(authctxt->krb5_ctx, authctxt->krb5_user,
ccache, password, 1, NULL);"

in the file auth-krb5.c and the Kerberos password authentication takes into
account all localy defined realms in /etc/krb5.conf file. I did not try to
modify the file for mit-krb5 kerberos distribution.

Reproducible: Always
Steps to Reproduce:
1.

3.




I use heimdal-0.6.5 and openssh-4.2_p1

Comment 1 SpanKY gentoo-dev

2005-12-09 10:29:53 UTC

can you please report this upstream ?  you're clearly more knowledgeable
about the issue so having me try to talk about kerberos would be a
disaster :)

http://www.openssh.com/report.html

Comment 2 SpanKY gentoo-dev

2006-02-07 21:24:32 UTC

better to track this upstream