rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Petr Šabata 81d24c
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
Petr Šabata 81d24c
--- openssh-7.4p1/auth-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/auth-krb5.c	2016-12-23 14:36:07.644465936 +0100
Petr Šabata 81d24c
@@ -56,6 +56,21 @@
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 extern ServerOptions	 options;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+int
Petr Šabata 81d24c
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
Petr Šabata 81d24c
+                 int k5login_exists)
Petr Šabata 81d24c
+{
Petr Šabata 81d24c
+	if (options.use_kuserok || !k5login_exists)
Petr Šabata 81d24c
+		return krb5_kuserok(krb5_ctx, krb5_user, client);
Petr Šabata 81d24c
+	else {
Petr Šabata 81d24c
+		char kuser[65];
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
Petr Šabata 81d24c
+			return 0;
Petr Šabata 81d24c
+		return strcmp(kuser, client) == 0;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 static int
Petr Šabata 81d24c
 krb5_init(void *context)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
@@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
Petr Šabata 81d24c
 	if (problem)
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
Petr Šabata 81d24c
-	    authctxt->pw->pw_name)) {
Petr Šabata 81d24c
+	/* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
Petr Šabata 81d24c
+	 * depend on the existance of .k5login */
Petr Šabata 81d24c
+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name, !options.use_kuserok)) {
Petr Šabata 81d24c
 		problem = -1;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
Petr Šabata 81d24c
--- openssh-7.4p1/gss-serv-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 14:36:07.644465936 +0100
Petr Šabata 81d24c
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
Petr Šabata 81d24c
     int);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 static krb5_context krb_context = NULL;
Petr Šabata 81d24c
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
Petr Šabata 81d24c
 
Petr Šabata 81d24c
@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
Petr Šabata 81d24c
  * Returns true if the user is OK to log in, otherwise returns 0
Petr Šabata 81d24c
  */
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+/* The purpose of the function is to find out if a Kerberos principal is
Petr Šabata 81d24c
+ * allowed to log in as the given local user. This is a general problem with
Petr Šabata 81d24c
+ * Kerberized services because by design the Kerberos principals are
Petr Šabata 81d24c
+ * completely independent from the local user names. This is one of the
Petr Šabata 81d24c
+ * reasons why Kerberos is working well on different operating systems like
Petr Šabata 81d24c
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
Petr Šabata 81d24c
+ * principal and a local user name must be established because otherwise every
Petr Šabata 81d24c
+ * access would be granted for every principal with a valid ticket.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * Since it is a general issue libkrb5 provides some functions for
Petr Šabata 81d24c
+ * applications to find out about the relationship between the Kerberos
Petr Šabata 81d24c
+ * principal and a local user name. They are krb5_kuserok() and
Petr Šabata 81d24c
+ * krb5_aname_to_localname().
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
Petr Šabata 81d24c
+ * log in as a local user" (from the MIT Kerberos documentation of this
Petr Šabata 81d24c
+ * function). Which is exactly what we are looking for and should be the
Petr Šabata 81d24c
+ * preferred choice. It accepts the Kerberos principal and a local user name
Petr Šabata 81d24c
+ * and let libkrb5 or its plugins determine if they relate to each other or
Petr Šabata 81d24c
+ * not.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
Petr Šabata 81d24c
+ * local name" (from the MIT Kerberos documentation of this function). It
Petr Šabata 81d24c
+ * accepts a Kerberos principle and returns a local name and it is up to the
Petr Šabata 81d24c
+ * application to do any additional checks. There are two issues using
Petr Šabata 81d24c
+ * krb5_aname_to_localname(). First, since POSIX user names are case
Petr Šabata 81d24c
+ * sensitive, the calling application in general has no other choice than
Petr Šabata 81d24c
+ * doing a case-sensitive string comparison between the name returned by
Petr Šabata 81d24c
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
Petr Šabata 81d24c
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
Petr Šabata 81d24c
+ * this might lead to login failures because the user typing the name at the
Petr Šabata 81d24c
+ * login prompt might not be aware of the right case. Another issue might be
Petr Šabata 81d24c
+ * caused if there are multiple alias names available for a single user. E.g.
Petr Šabata 81d24c
+ * the canonical name of a user is user@group.department.example.com but there
Petr Šabata 81d24c
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
Petr Šabata 81d24c
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
Petr Šabata 81d24c
+ * name, but if the short alias is used at the login prompt authentication
Petr Šabata 81d24c
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
Petr Šabata 81d24c
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
Petr Šabata 81d24c
+ * given environment.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * The Fedora and RHEL version of openssh contain two patches which modify the
Petr Šabata 81d24c
+ * access control behavior:
Petr Šabata 81d24c
+ *  - openssh-6.6p1-kuserok.patch
Petr Šabata 81d24c
+ *  - openssh-6.6p1-force_krb.patch
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
Petr Šabata 81d24c
+ * sshd_config which controls if krb5_kuserok() is used to check if the
Petr Šabata 81d24c
+ * principle is authorized or if krb5_aname_to_localname() should be used.
Petr Šabata 81d24c
+ * The reason to add this patch was that krb5_kuserok() by default checks if
Petr Šabata 81d24c
+ * a .k5login file exits in the users home-directory. With this the user can
Petr Šabata 81d24c
+ * give access to his account for any given principal which might be
Petr Šabata 81d24c
+ * in violation with company policies and it would be useful if this can be
Petr Šabata 81d24c
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
Petr Šabata 81d24c
+ * no only check .k5login but other sources as well and checking .k5login can
Petr Šabata 81d24c
+ * be disabled for all applications in krb5.conf as well. With this new
Petr Šabata 81d24c
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
Petr Šabata 81d24c
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
Petr Šabata 81d24c
+ * restrictions mentioned above.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
Petr Šabata 81d24c
+ * using GSSAPI authentication only commands configured in the .k5user can be
Petr Šabata 81d24c
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
Petr Šabata 81d24c
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
Petr Šabata 81d24c
+ * does not use krb5_kuserok() which might be more useful for the given
Petr Šabata 81d24c
+ * purpose. Additionally this patch is not synced with
Petr Šabata 81d24c
+ * openssh-6.6p1-kuserok.patch.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
Petr Šabata 81d24c
+ * localauth plugins can be used. It does so by adding a forth parameter to
Petr Šabata 81d24c
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
Petr Šabata 81d24c
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
Petr Šabata 81d24c
+ * to 'no' because the intent of the option is to not check .k5login and if it
Petr Šabata 81d24c
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
Petr Šabata 81d24c
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
Petr Šabata 81d24c
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
Petr Šabata 81d24c
+ * limitation and does not break the current behaviour.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * Additionally with this patch ssh_krb5_kuserok() is called in
Petr Šabata 81d24c
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
Petr Šabata 81d24c
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
Petr Šabata 81d24c
+ * krb5_kuserok() as well.
Petr Šabata 81d24c
+ *
Petr Šabata 81d24c
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
Petr Šabata 81d24c
+ * areas for improvement which, if they make sense, have to be evaluated
Petr Šabata 81d24c
+ * carefully because they might change existing behaviour and cause breaks
Petr Šabata 81d24c
+ * during upgrade:
Petr Šabata 81d24c
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
Petr Šabata 81d24c
+ *   be better disabled globally in krb5.conf
Petr Šabata 81d24c
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
Petr Šabata 81d24c
+ *   only disable checking .k5login and maybe .k5users
Petr Šabata 81d24c
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
Petr Šabata 81d24c
+ *   .k5users files directly like ksu itself does
Petr Šabata 81d24c
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
Petr Šabata 81d24c
+ *   the canonical name (the one returned by getpwnam()) instead of the name
Petr Šabata 81d24c
+ *   given at the login prompt might be useful */
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 static int
Petr Šabata 81d24c
 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
Petr Šabata 81d24c
 	/* NOTE: .k5login and .k5users must opened as root, not the user,
Petr Šabata 81d24c
 	 * because if they are on a krb5-protected filesystem, user credentials
Petr Šabata 81d24c
 	 * to access these files aren't available yet. */
Petr Šabata 81d24c
-	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
Petr Šabata 81d24c
+	if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
Petr Šabata 81d24c
+			&& k5login_exists) {
Petr Šabata 81d24c
 		retval = 1;
Petr Šabata 81d24c
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
Petr Šabata 81d24c
 		    name, (char *)client->displayname.value);
Petr Šabata 81d24c
@@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Šabata 81d24c
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Šabata 81d24c
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Šabata 81d24c
 	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Šabata 81d24c
-		return (krb5_aname_to_localname(krb_context, principal,
Petr Šabata 81d24c
-		    sizeof(kuser), kuser) == 0) &&
Petr Šabata 81d24c
-		    (strcmp(kuser, luser) == 0);
Petr Šabata 81d24c
+                return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Šabata 81d24c
+                                        k5login_exists);
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 	if ((fp = fopen(file, "r")) == NULL) {
Petr Šabata 81d24c
 		int saved_errno = errno;
Petr Šabata 81d24c
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
Petr Šabata 81d24c
--- openssh-7.4p1/servconf.c.kuserok	2016-12-23 14:36:07.630465944 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/servconf.c	2016-12-23 15:11:52.278133344 +0100
Petr Šabata 81d24c
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
Petr Šabata 81d24c
 	options->gss_strict_acceptor = -1;
Petr Šabata 81d24c
 	options->gss_store_rekey = -1;
Petr Šabata 81d24c
 	options->gss_kex_algorithms = NULL;
Petr Šabata 81d24c
+	options->use_kuserok = -1;
Petr Šabata 81d24c
 	options->password_authentication = -1;
Petr Šabata 81d24c
 	options->kbd_interactive_authentication = -1;
Petr Šabata 81d24c
 	options->challenge_response_authentication = -1;
Petr Šabata 81d24c
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
Petr Šabata 81d24c
 	if (options->gss_kex_algorithms == NULL)
Petr Šabata 81d24c
 		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
+	if (options->use_kuserok == -1)
Petr Šabata 81d24c
+		options->use_kuserok = 1;
Petr Šabata 81d24c
 	if (options->password_authentication == -1)
Petr Šabata 81d24c
 		options->password_authentication = 1;
Petr Šabata 81d24c
 	if (options->kbd_interactive_authentication == -1)
Petr Šabata 81d24c
@@ -399,7 +402,7 @@ typedef enum {
Petr Šabata 81d24c
 	sPermitRootLogin, sLogFacility, sLogLevel,
Petr Šabata 81d24c
 	sRhostsRSAAuthentication, sRSAAuthentication,
Petr Šabata 81d24c
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Petr Šabata 81d24c
-	sKerberosGetAFSToken, sKerberosUniqueCCache,
Petr Šabata 81d24c
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
Petr Šabata 81d24c
 	sChallengeResponseAuthentication,
Petr Šabata 81d24c
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
Petr Šabata 81d24c
 	sListenAddress, sAddressFamily,
Petr Šabata 81d24c
@@ -478,12 +481,14 @@ static struct {
Petr Šabata 81d24c
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 	{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
Petr Šabata 81d24c
+	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
Petr Šabata 81d24c
 #else
Petr Šabata 81d24c
 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
Petr Šabata 81d24c
 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
+	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Petr Šabata 81d24c
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
Petr Šabata 81d24c
 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
Petr Šabata 81d24c
 		break;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+	case sKerberosUseKuserok:
Petr Šabata 81d24c
+		intptr = &options->use_kuserok;
Petr Šabata 81d24c
+		goto parse_flag;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 	case sPermitListen:
Petr Šabata 81d24c
 	case sPermitOpen:
Petr Šabata 81d24c
 		if (opcode == sPermitListen) {
Petr Šabata 81d24c
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
Petr Šabata 81d24c
 	M_CP_INTOPT(client_alive_interval);
Petr Šabata 81d24c
 	M_CP_INTOPT(ip_qos_interactive);
Petr Šabata 81d24c
 	M_CP_INTOPT(ip_qos_bulk);
Petr Šabata 81d24c
+	M_CP_INTOPT(use_kuserok);
Petr Šabata 81d24c
 	M_CP_INTOPT(rekey_limit);
Petr Šabata 81d24c
 	M_CP_INTOPT(rekey_interval);
Petr Šabata 81d24c
 	M_CP_INTOPT(log_level);
Petr Šabata 81d24c
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
Petr Šabata 81d24c
 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
Petr Šabata 81d24c
 # endif
Petr Šabata 81d24c
 	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
Petr Šabata 81d24c
+	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 #ifdef GSSAPI
Petr Šabata 81d24c
	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
Petr Šabata 81d24c
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
Petr Šabata 81d24c
--- openssh-7.4p1/servconf.h.kuserok	2016-12-23 14:36:07.630465944 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/servconf.h	2016-12-23 14:36:07.645465936 +0100
Petr Šabata 81d24c
@@ -118,6 +118,7 @@ typedef struct {
Petr Šabata 81d24c
 						 * authenticated with Kerberos. */
Petr Šabata 81d24c
 	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
Petr Šabata 81d24c
 						 * be stored in per-session ccache */
Petr Šabata 81d24c
+	int	use_kuserok;
Petr Šabata 81d24c
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
Petr Šabata 81d24c
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
Petr Šabata 81d24c
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
Petr Šabata 81d24c
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
Petr Šabata 81d24c
--- openssh-7.4p1/sshd_config.5.kuserok	2016-12-23 14:36:07.637465940 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:14:03.117162222 +0100
Petr Šabata 81d24c
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
Petr Šabata 81d24c
 .Cm no
Petr Šabata 81d24c
 can lead to overwriting previous tickets by subseqent connections to the same
Petr Šabata 81d24c
 user account.
Petr Šabata 81d24c
+.It Cm KerberosUseKuserok
Petr Šabata 81d24c
+Specifies whether to look at .k5login file for user's aliases.
Petr Šabata 81d24c
+The default is
Petr Šabata 81d24c
+.Cm yes .
Petr Šabata 81d24c
 .It Cm KexAlgorithms
Petr Šabata 81d24c
 Specifies the available KEX (Key Exchange) algorithms.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
@@ -1078,6 +1082,7 @@ Available keywords are
Petr Šabata 81d24c
 .Cm IPQoS ,
Petr Šabata 81d24c
 .Cm KbdInteractiveAuthentication ,
Petr Šabata 81d24c
 .Cm KerberosAuthentication ,
Petr Šabata 81d24c
+.Cm KerberosUseKuserok ,
Petr Šabata 81d24c
 .Cm LogLevel ,
Petr Šabata 81d24c
 .Cm MaxAuthTries ,
Petr Šabata 81d24c
 .Cm MaxSessions ,
Petr Šabata 81d24c
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
Petr Šabata 81d24c
--- openssh-7.4p1/sshd_config.kuserok	2016-12-23 14:36:07.631465943 +0100
Petr Šabata 81d24c
+++ openssh-7.4p1/sshd_config	2016-12-23 14:36:07.646465935 +0100
Petr Šabata 81d24c
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
Petr Šabata 81d24c
 #KerberosOrLocalPasswd yes
Petr Šabata 81d24c
 #KerberosTicketCleanup yes
Petr Šabata 81d24c
 #KerberosGetAFSToken no
Petr Šabata 81d24c
+#KerberosUseKuserok yes
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 # GSSAPI options
Petr Šabata 81d24c
 #GSSAPIAuthentication no