[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: heimdal-0.7.1rc2
From: Andreas Haupt <ahaupt@ifh.de>
Date: Wed, 21 Sep 2005 14:31:17 +0200 (CEST)
Cc: heimdal-discuss@sics.se
In-Reply-To: <m27jdboo0r.fsf@nutcracker.wtf.stacken.kth.se>
References: <amzmroqybo.fsf@nutcracker.it.su.se> <Pine.LNX.4.63.0508120810100.19135@fuchur.ifh.de><amll37poz3.fsf@nutcracker.it.su.se> <Pine.LNX.4.63.0508121020330.19135@fuchur.ifh.de><Pine.LNX.4.63.0509191419580.29677@fuchur.ifh.de> <m2br2ordnz.fsf@nutcracker.wtf.stacken.kth.se><Pine.LNX.4.63.0509201125350.29677@fuchur.ifh.de> <m27jdboo0r.fsf@nutcracker.wtf.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se

Hello Love,

On Tue, 20 Sep 2005, Love Hörnquist Åstrand wrote:

> Andreas Haupt <ahaupt@ifh.de> writes:
>
>> Hello,
>>
>> On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:
>>
>>> I can't reproduce your problem, it works just fine with me. Both with the
>>> default values, and "correct_des3_mic = host/*@SU.SE" set.
>>
>> Fine. Maybe there's something wrong with my configuration. Here's my
>> krb5.conf for the test environment:
>
> Can you upgrade each component (KDC, ssh, sshd) and see when it breaks ?
> Use old ssh and KDC with new sshd, etc.

Heureka! My problem is more or less solved. It's just the ssh daemon! In 
the file gss-serv-krb5.c, function ssh_gssapi_krb5_userok it calls the
heimdal lib function krb5_userok. This returns false in heimdal 0.7.1 
whereas on heimdal 0.6.3 it returns true.

After reading the man page of krb5_userok I remembered of an old .k5login 
file in my home directory (it contained a principal that was used during 
a cross realm trust test some time ago).

After removing that file everything works fine. Whereas 0.6x did not 
care about it, 0.7x does! That's reproducible. If there is a principal 
name in it that does not belong to the local realm, even the "normal" 
authentication (connection to the same user in the same realm) does not 
work any more.

In heimdal's ChangeLog.2004 I found the following entry:

2004-08-19  Johan Danielsson  <joda@pdc.kth.se>

         * lib/krb5/krb5_kuserok.3: update to reality

         * lib/krb5/kuserok.c: if a .k5login file exist, don't give
         implicit rights to anyone; also check owner/mode of .k5login

My .k5login file was owned by me and had permission 0600. But actually 
krb5_userok shouldn't even care about it as my authentication would have 
succeeded without it.

Did I found a bug?

Thanks and Greetings
Andreas

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

References:
- Re: heimdal-0.7.1rc2
  - From: Andreas Haupt <ahaupt@ifh.de>
- Re: heimdal-0.7.1rc2
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: heimdal-0.7.1rc2
  - From: Andreas Haupt <ahaupt@ifh.de>
- Re: heimdal-0.7.1rc2
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Cross Realm HELP
Next by Date: Re: Cross Realm HELP
Prev by thread: Re: heimdal-0.7.1rc2
Next by thread: Re: heimdal-0.7.1rc2
Index(es):
- Date
- Thread