[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Tue, 20 Sep 2005, Love Hörnquist Åstrand wrote:
> Andreas Haupt <firstname.lastname@example.org> writes:
>> On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:
>>> I can't reproduce your problem, it works just fine with me. Both with the
>>> default values, and "correct_des3_mic = host/*@SU.SE" set.
>> Fine. Maybe there's something wrong with my configuration. Here's my
>> krb5.conf for the test environment:
> Can you upgrade each component (KDC, ssh, sshd) and see when it breaks ?
> Use old ssh and KDC with new sshd, etc.
Heureka! My problem is more or less solved. It's just the ssh daemon! In
the file gss-serv-krb5.c, function ssh_gssapi_krb5_userok it calls the
heimdal lib function krb5_userok. This returns false in heimdal 0.7.1
whereas on heimdal 0.6.3 it returns true.
After reading the man page of krb5_userok I remembered of an old .k5login
file in my home directory (it contained a principal that was used during
a cross realm trust test some time ago).
After removing that file everything works fine. Whereas 0.6x did not
care about it, 0.7x does! That's reproducible. If there is a principal
name in it that does not belong to the local realm, even the "normal"
authentication (connection to the same user in the same realm) does not
work any more.
In heimdal's ChangeLog.2004 I found the following entry:
2004-08-19 Johan Danielsson <email@example.com>
* lib/krb5/krb5_kuserok.3: update to reality
* lib/krb5/kuserok.c: if a .k5login file exist, don't give
implicit rights to anyone; also check owner/mode of .k5login
My .k5login file was owned by me and had permission 0600. But actually
krb5_userok shouldn't even care about it as my authentication would have
succeeded without it.
Did I found a bug?
Thanks and Greetings
| Andreas Haupt | E-Mail: firstname.lastname@example.org
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216