vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jan F. Chadima 1b8a26
diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
Jan F 82036a
--- openssh-5.6p1/auth-krb5.c.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/auth-krb5.c	2010-11-15 10:11:02.000000000 +0100
Jan F 82036a
@@ -54,6 +54,20 @@
Jan F 82036a
 
Jan F 82036a
 extern ServerOptions	 options;
Jan F 82036a
 
Jan F 82036a
+int
Jan F 82036a
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
Jan F 82036a
+{
Jan F 82036a
+	if (options.use_kuserok)
Jan F 82036a
+		return krb5_kuserok(krb5_ctx, krb5_user, client);
Jan F 82036a
+	else {
Jan F 82036a
+		char kuser[65];
Jan F 82036a
+
Jan F 82036a
+		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
Jan F 82036a
+			return 0;
Jan F 82036a
+		return strcmp(kuser, client) == 0;
Jan F 82036a
+	}
Jan F 82036a
+}
Jan F 82036a
+
Jan F 82036a
 static int
Jan F 82036a
 krb5_init(void *context)
Jan F 82036a
 {
Jan F 82036a
@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
Jan F. Chadima 59d42d
 	if (problem)
Jan F. Chadima 59d42d
 		goto out;
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
Jan F 82036a
+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
Jan F 82036a
 		problem = -1;
Jan F 82036a
 		goto out;
Jan F. Chadima 59d42d
 	}
Jan F 46c77f
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
Jan F 82036a
--- openssh-5.6p1/gss-serv-krb5.c.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/gss-serv-krb5.c	2010-11-15 10:12:35.000000000 +0100
Jan F 82036a
@@ -57,6 +57,7 @@ extern ServerOptions options;
Jan F 82036a
 #endif
Jan F 82036a
 
Jan F 82036a
 static krb5_context krb_context = NULL;
Jan F 82036a
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
Jan F 82036a
 
Jan F 82036a
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
Jan F 82036a
 
Jan F 82036a
@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
Jan F 46c77f
 		    krb5_get_err_text(krb_context, retval));
Jan F 46c77f
 		return 0;
Jan F 46c77f
 	}
Jan F 46c77f
-	if (krb5_kuserok(krb_context, princ, name)) {
Jan F 82036a
+	if (ssh_krb5_kuserok(krb_context, princ, name)) {
Jan F 82036a
 		retval = 1;
Jan F 82036a
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
Jan F 82036a
 		    name, (char *)client->displayname.value);
Jan F. Chadima 1b8a26
diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
Jan F 82036a
--- openssh-5.6p1/servconf.c.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/servconf.c	2010-11-15 10:08:05.000000000 +0100
Jan F. Chadima 1b8a26
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions 
Jan F. Chadima 59d42d
 	options->revoked_keys_file = NULL;
Jan F. Chadima 59d42d
 	options->trusted_user_ca_keys = NULL;
Jan F. Chadima 1b8a26
 	options->authorized_principals_file = NULL;
Jan F. Chadima 59d42d
+	options->use_kuserok = -1;
Jan F. Chadima 59d42d
 }
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
 void
Jan F. Chadima 1b8a26
@@ -286,6 +287,8 @@ fill_default_server_options(ServerOption
Jan F. Chadima 59d42d
 	if (use_privsep == -1)
Jan F. Chadima 59d42d
 		use_privsep = 1;
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
+	if (options->use_kuserok == -1)
Jan F. Chadima 59d42d
+		options->use_kuserok = 1;
Jan F. Chadima 59d42d
 #ifndef HAVE_MMAP
Jan F. Chadima 59d42d
 	if (use_privsep && options->compression == 1) {
Jan F. Chadima 59d42d
 		error("This platform does not support both privilege "
Jan F. Chadima 1b8a26
@@ -307,7 +310,7 @@ typedef enum {
Jan F. Chadima 59d42d
 	sPermitRootLogin, sLogFacility, sLogLevel,
Jan F. Chadima 59d42d
 	sRhostsRSAAuthentication, sRSAAuthentication,
Jan F. Chadima 59d42d
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Jan F. Chadima 59d42d
-	sKerberosGetAFSToken,
Jan F. Chadima 59d42d
+	sKerberosGetAFSToken, sKerberosUseKuserok,
Jan F. Chadima 59d42d
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
Jan F. Chadima 59d42d
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
Jan F. Chadima 59d42d
 	sListenAddress, sAddressFamily,
Jan F. Chadima 1b8a26
@@ -377,11 +380,13 @@ static struct {
Jan F. Chadima 59d42d
 #else
Jan F. Chadima 59d42d
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 59d42d
 #endif
Jan F. Chadima 59d42d
+	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
Jan F. Chadima 59d42d
 #else
Jan F. Chadima 59d42d
 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 59d42d
 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 59d42d
 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 59d42d
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 59d42d
+	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 59d42d
 #endif
Jan F. Chadima 59d42d
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 59d42d
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 1b8a26
@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
Jan F. Chadima 59d42d
 		*activep = value;
Jan F. Chadima 59d42d
 		break;
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
+	case sKerberosUseKuserok:
Jan F. Chadima 59d42d
+		intptr = &options->use_kuserok;
Jan F. Chadima 59d42d
+		goto parse_flag;
Jan F. Chadima 59d42d
+
Jan F. Chadima 59d42d
 	case sPermitOpen:
Jan F. Chadima 59d42d
 		arg = strdelim(&cp;;
Jan F. Chadima 59d42d
 		if (!arg || *arg == '\0')
Jan F. Chadima 1b8a26
@@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d
Jan F. Chadima 59d42d
 	M_CP_INTOPT(x11_use_localhost);
Jan F. Chadima 59d42d
 	M_CP_INTOPT(max_sessions);
Jan F. Chadima 59d42d
 	M_CP_INTOPT(max_authtries);
Jan F. Chadima 59d42d
+	M_CP_INTOPT(use_kuserok);
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
 	M_CP_STROPT(banner);
Jan F. Chadima 59d42d
 	if (preauth)
Jan F. Chadima 1b8a26
@@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o)
Jan F. Chadima 59d42d
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
Jan F. Chadima 59d42d
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
Jan F. Chadima 59d42d
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
Jan F. Chadima 59d42d
+	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
 	/* string arguments */
Jan F. Chadima 59d42d
 	dump_cfg_string(sPidFile, o->pid_file);
Jan F. Chadima 1b8a26
diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
Jan F 82036a
--- openssh-5.6p1/servconf.h.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/servconf.h	2010-11-15 10:08:05.000000000 +0100
Jan F. Chadima 59d42d
@@ -157,6 +157,7 @@ typedef struct {
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
 	int	num_permitted_opens;
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
+	int	use_kuserok;
Jan F. Chadima 59d42d
 	char   *chroot_directory;
Jan F. Chadima 59d42d
 	char   *revoked_keys_file;
Jan F. Chadima 59d42d
 	char   *trusted_user_ca_keys;
Jan F. Chadima 1b8a26
diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
Jan F 82036a
--- openssh-5.6p1/sshd_config.5.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/sshd_config.5	2010-11-15 10:08:05.000000000 +0100
Jan F. Chadima 1b8a26
@@ -564,6 +564,10 @@ Specifies whether to automatically destr
Jan F. Chadima 59d42d
 file on logout.
Jan F. Chadima 59d42d
 The default is
Jan F. Chadima 59d42d
 .Dq yes .
Jan F. Chadima 59d42d
+.It Cm KerberosUseKuserok
Jan F. Chadima 59d42d
+Specifies whether to look at .k5login file for user's aliases.
Jan F. Chadima 59d42d
+The default is
Jan F. Chadima 59d42d
+.Dq yes .
Jan F. Chadima 59d42d
 .It Cm KeyRegenerationInterval
Jan F. Chadima 59d42d
 In protocol version 1, the ephemeral server key is automatically regenerated
Jan F. Chadima 59d42d
 after this many seconds (if it has been used).
Jan F. Chadima 1b8a26
@@ -694,6 +698,7 @@ Available keywords are
Jan F. Chadima 1b8a26
 .Cm HostbasedUsesNameFromPacketOnly ,
Jan F. Chadima 59d42d
 .Cm KbdInteractiveAuthentication ,
Jan F. Chadima 59d42d
 .Cm KerberosAuthentication ,
Jan F. Chadima 59d42d
+.Cm KerberosUseKuserok ,
Jan F. Chadima 59d42d
 .Cm MaxAuthTries ,
Jan F. Chadima 59d42d
 .Cm MaxSessions ,
Jan F. Chadima 7818e5
 .Cm PubkeyAuthentication ,
Jan F. Chadima 1b8a26
diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
Jan F 82036a
--- openssh-5.6p1/sshd_config.kuserok	2010-11-15 10:08:05.000000000 +0100
Jan F 82036a
+++ openssh-5.6p1/sshd_config	2010-11-15 10:08:05.000000000 +0100
Jan F. Chadima 59d42d
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
Jan F. Chadima 59d42d
 #KerberosOrLocalPasswd yes
Jan F. Chadima 59d42d
 #KerberosTicketCleanup yes
Jan F. Chadima 59d42d
 #KerberosGetAFSToken no
Jan F. Chadima 59d42d
+#KerberosUseKuserok yes
Jan F. Chadima 59d42d
 
Jan F. Chadima 59d42d
 # GSSAPI options
Jan F. Chadima 59d42d
 #GSSAPIAuthentication no