vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/auth-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/auth-krb5.c	2016-12-23 14:36:07.644465936 +0100
Jakub Jelen 6cf9b8
@@ -56,6 +56,21 @@
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 extern ServerOptions	 options;
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Petr Lautrbach 30c06a
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
Petr Lautrbach 30c06a
+                 int k5login_exists)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 30c06a
+	if (options.use_kuserok || !k5login_exists)
Jan F. Chadima 69dd72
+		return krb5_kuserok(krb5_ctx, krb5_user, client);
Jan F. Chadima 69dd72
+	else {
Jan F. Chadima 69dd72
+		char kuser[65];
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
Jan F. Chadima 69dd72
+			return 0;
Jan F. Chadima 69dd72
+		return strcmp(kuser, client) == 0;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 static int
Jan F. Chadima 69dd72
 krb5_init(void *context)
Jan F. Chadima 69dd72
 {
Jakub Jelen 6cf9b8
@@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
Jan F. Chadima 69dd72
 	if (problem)
Jan F. Chadima 69dd72
 		goto out;
Jan F. Chadima 69dd72
 
Petr Lautrbach 7463b6
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
Petr Lautrbach 7463b6
-	    authctxt->pw->pw_name)) {
Petr Lautrbach 30c06a
+	/* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
Petr Lautrbach 30c06a
+	 * depend on the existance of .k5login */
Petr Lautrbach 30c06a
+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name, !options.use_kuserok)) {
Jan F. Chadima 69dd72
 		problem = -1;
Jan F. Chadima 69dd72
 		goto out;
Jan F. Chadima 69dd72
 	}
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/gss-serv-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 14:36:07.644465936 +0100
Jakub Jelen 132f8f
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
Jan F. Chadima 69dd72
     int);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 static krb5_context krb_context = NULL;
Petr Lautrbach 30c06a
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
Jan F. Chadima 69dd72
 
Petr Lautrbach 30c06a
@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
Petr Lautrbach 30c06a
  * Returns true if the user is OK to log in, otherwise returns 0
Petr Lautrbach 30c06a
  */
Petr Lautrbach 30c06a
 
Petr Lautrbach 30c06a
+/* The purpose of the function is to find out if a Kerberos principal is
Petr Lautrbach 30c06a
+ * allowed to log in as the given local user. This is a general problem with
Petr Lautrbach 30c06a
+ * Kerberized services because by design the Kerberos principals are
Petr Lautrbach 30c06a
+ * completely independent from the local user names. This is one of the
Petr Lautrbach 30c06a
+ * reasons why Kerberos is working well on different operating systems like
Petr Lautrbach 30c06a
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
Petr Lautrbach 30c06a
+ * principal and a local user name must be established because otherwise every
Petr Lautrbach 30c06a
+ * access would be granted for every principal with a valid ticket.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * Since it is a general issue libkrb5 provides some functions for
Petr Lautrbach 30c06a
+ * applications to find out about the relationship between the Kerberos
Petr Lautrbach 30c06a
+ * principal and a local user name. They are krb5_kuserok() and
Petr Lautrbach 30c06a
+ * krb5_aname_to_localname().
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
Petr Lautrbach 30c06a
+ * log in as a local user" (from the MIT Kerberos documentation of this
Petr Lautrbach 30c06a
+ * function). Which is exactly what we are looking for and should be the
Petr Lautrbach 30c06a
+ * preferred choice. It accepts the Kerberos principal and a local user name
Petr Lautrbach 30c06a
+ * and let libkrb5 or its plugins determine if they relate to each other or
Petr Lautrbach 30c06a
+ * not.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
Petr Lautrbach 30c06a
+ * local name" (from the MIT Kerberos documentation of this function). It
Petr Lautrbach 30c06a
+ * accepts a Kerberos principle and returns a local name and it is up to the
Petr Lautrbach 30c06a
+ * application to do any additional checks. There are two issues using
Petr Lautrbach 30c06a
+ * krb5_aname_to_localname(). First, since POSIX user names are case
Petr Lautrbach 30c06a
+ * sensitive, the calling application in general has no other choice than
Petr Lautrbach 30c06a
+ * doing a case-sensitive string comparison between the name returned by
Petr Lautrbach 30c06a
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
Petr Lautrbach 30c06a
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
Petr Lautrbach 30c06a
+ * this might lead to login failures because the user typing the name at the
Petr Lautrbach 30c06a
+ * login prompt might not be aware of the right case. Another issue might be
Petr Lautrbach 30c06a
+ * caused if there are multiple alias names available for a single user. E.g.
Petr Lautrbach 30c06a
+ * the canonical name of a user is user@group.department.example.com but there
Petr Lautrbach 30c06a
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
Petr Lautrbach 30c06a
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
Petr Lautrbach 30c06a
+ * name, but if the short alias is used at the login prompt authentication
Petr Lautrbach 30c06a
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
Petr Lautrbach 30c06a
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
Petr Lautrbach 30c06a
+ * given environment.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * The Fedora and RHEL version of openssh contain two patches which modify the
Petr Lautrbach 30c06a
+ * access control behavior:
Petr Lautrbach 30c06a
+ *  - openssh-6.6p1-kuserok.patch
Petr Lautrbach 30c06a
+ *  - openssh-6.6p1-force_krb.patch
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
Petr Lautrbach 30c06a
+ * sshd_config which controls if krb5_kuserok() is used to check if the
Petr Lautrbach 30c06a
+ * principle is authorized or if krb5_aname_to_localname() should be used.
Petr Lautrbach 30c06a
+ * The reason to add this patch was that krb5_kuserok() by default checks if
Petr Lautrbach 30c06a
+ * a .k5login file exits in the users home-directory. With this the user can
Petr Lautrbach 30c06a
+ * give access to his account for any given principal which might be
Petr Lautrbach 30c06a
+ * in violation with company policies and it would be useful if this can be
Petr Lautrbach 30c06a
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
Petr Lautrbach 30c06a
+ * no only check .k5login but other sources as well and checking .k5login can
Petr Lautrbach 30c06a
+ * be disabled for all applications in krb5.conf as well. With this new
Petr Lautrbach 30c06a
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
Petr Lautrbach 30c06a
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
Petr Lautrbach 30c06a
+ * restrictions mentioned above.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
Petr Lautrbach 30c06a
+ * using GSSAPI authentication only commands configured in the .k5user can be
Petr Lautrbach 30c06a
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
Petr Lautrbach 30c06a
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
Petr Lautrbach 30c06a
+ * does not use krb5_kuserok() which might be more useful for the given
Petr Lautrbach 30c06a
+ * purpose. Additionally this patch is not synced with
Petr Lautrbach 30c06a
+ * openssh-6.6p1-kuserok.patch.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
Petr Lautrbach 30c06a
+ * localauth plugins can be used. It does so by adding a forth parameter to
Petr Lautrbach 30c06a
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
Petr Lautrbach 30c06a
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
Petr Lautrbach 30c06a
+ * to 'no' because the intent of the option is to not check .k5login and if it
Petr Lautrbach 30c06a
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
Petr Lautrbach 30c06a
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
Petr Lautrbach 30c06a
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
Petr Lautrbach 30c06a
+ * limitation and does not break the current behaviour.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * Additionally with this patch ssh_krb5_kuserok() is called in
Petr Lautrbach 30c06a
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
Petr Lautrbach 30c06a
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
Petr Lautrbach 30c06a
+ * krb5_kuserok() as well.
Petr Lautrbach 30c06a
+ *
Petr Lautrbach 30c06a
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
Petr Lautrbach 30c06a
+ * areas for improvement which, if they make sense, have to be evaluated
Petr Lautrbach 30c06a
+ * carefully because they might change existing behaviour and cause breaks
Petr Lautrbach 30c06a
+ * during upgrade:
Petr Lautrbach 30c06a
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
Petr Lautrbach 30c06a
+ *   be better disabled globally in krb5.conf
Petr Lautrbach 30c06a
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
Petr Lautrbach 30c06a
+ *   only disable checking .k5login and maybe .k5users
Petr Lautrbach 30c06a
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
Petr Lautrbach 30c06a
+ *   .k5users files directly like ksu itself does
Petr Lautrbach 30c06a
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
Petr Lautrbach 30c06a
+ *   the canonical name (the one returned by getpwnam()) instead of the name
Petr Lautrbach 30c06a
+ *   given at the login prompt might be useful */
Petr Lautrbach 30c06a
+
Petr Lautrbach 30c06a
 static int
Petr Lautrbach 30c06a
 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
Petr Lautrbach 30c06a
 {
Jakub Jelen 132f8f
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
Jan F. Chadima 69dd72
 	/* NOTE: .k5login and .k5users must opened as root, not the user,
Jan F. Chadima 69dd72
 	 * because if they are on a krb5-protected filesystem, user credentials
Jan F. Chadima 69dd72
 	 * to access these files aren't available yet. */
Petr Lautrbach 84822b
-	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
Dmitry Belyavskiy c7af8e
+	if (k5login_exists &&
Dmitry Belyavskiy c7af8e
+	    ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)) {
Jan F. Chadima 69dd72
 		retval = 1;
Jan F. Chadima 69dd72
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
Petr Lautrbach 84822b
 		    name, (char *)client->displayname.value);
Jakub Jelen 6cf9b8
@@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
Petr Lautrbach 30c06a
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Petr Lautrbach 30c06a
 	/* If both .k5login and .k5users DNE, self-login is ok. */
Petr Lautrbach 30c06a
 	if (!k5login_exists && (access(file, F_OK) == -1)) {
Petr Lautrbach 30c06a
-		return (krb5_aname_to_localname(krb_context, principal,
Petr Lautrbach 30c06a
-		    sizeof(kuser), kuser) == 0) &&
Petr Lautrbach 30c06a
-		    (strcmp(kuser, luser) == 0);
Petr Lautrbach 30c06a
+                return ssh_krb5_kuserok(krb_context, principal, luser,
Petr Lautrbach 30c06a
+                                        k5login_exists);
Petr Lautrbach 30c06a
 	}
Petr Lautrbach 30c06a
 	if ((fp = fopen(file, "r")) == NULL) {
Petr Lautrbach 30c06a
 		int saved_errno = errno;
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.c.kuserok	2016-12-23 14:36:07.630465944 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.c	2016-12-23 15:11:52.278133344 +0100
Jakub Jelen 5b55d0
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
Jakub Jelen 5b55d0
 	options->gss_strict_acceptor = -1;
Jakub Jelen 5b55d0
 	options->gss_store_rekey = -1;
Jakub Jelen def1de
 	options->gss_kex_algorithms = NULL;
Jan F. Chadima 69dd72
+	options->use_kuserok = -1;
Jakub Jelen 5b55d0
 	options->password_authentication = -1;
Jakub Jelen 5b55d0
 	options->kbd_interactive_authentication = -1;
Dmitry Belyavskiy 8f4d19
	options->permit_empty_passwd = -1;
Jakub Jelen 5b55d0
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
Jakub Jelen def1de
 	if (options->gss_kex_algorithms == NULL)
Jakub Jelen def1de
 		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
Jakub Jelen def1de
 #endif
Jan F. Chadima 69dd72
+	if (options->use_kuserok == -1)
Petr Lautrbach 1ba984
+		options->use_kuserok = 1;
Jakub Jelen 5b55d0
 	if (options->password_authentication == -1)
Jakub Jelen 5b55d0
 		options->password_authentication = 1;
Jakub Jelen 5b55d0
 	if (options->kbd_interactive_authentication == -1)
Jakub Jelen 117678
@@ -399,7 +402,7 @@ typedef enum {
Dmitry Belyavskiy 8f4d19
	sPort, sHostKeyFile, sLoginGraceTime,
Dmitry Belyavskiy 8f4d19
	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
Dmitry Belyavskiy 8f4d19
	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Dmitry Belyavskiy 7b76af
-	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
Dmitry Belyavskiy 7b76af
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
Dmitry Belyavskiy 7b76af
	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
Dmitry Belyavskiy 7b76af
	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Dmitry Belyavskiy 7b76af
	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Jakub Jelen 117678
@@ -478,12 +481,14 @@ static struct {
Jan F. Chadima 69dd72
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
 #endif
Jakub Jelen 808908
 	{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
+	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
Jan F. Chadima 69dd72
 #else
Jan F. Chadima 69dd72
 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 69dd72
 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 808908
 	{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
+	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 69dd72
 #endif
Jan F. Chadima 69dd72
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Jakub Jelen 6cf9b8
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
Dmitry Belyavskiy 8f4d19
		}
Dmitry Belyavskiy 8f4d19
		break;
Dmitry Belyavskiy 8f4d19
Jan F. Chadima 69dd72
+	case sKerberosUseKuserok:
Jan F. Chadima 69dd72
+		intptr = &options->use_kuserok;
Jan F. Chadima 69dd72
+		goto parse_flag;
Jan F. Chadima 69dd72
+
Dmitry Belyavskiy 8f4d19
	case sMatch:
Dmitry Belyavskiy 8f4d19
		if (cmdline)
Dmitry Belyavskiy 8f4d19
			fatal("Match directive not supported as a command-line "
Jakub Jelen 6cf9b8
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
Jakub Jelen 6cf9b8
 	M_CP_INTOPT(client_alive_interval);
Jan F. Chadima 69dd72
 	M_CP_INTOPT(ip_qos_interactive);
Jan F. Chadima 69dd72
 	M_CP_INTOPT(ip_qos_bulk);
Jan F. Chadima 69dd72
+	M_CP_INTOPT(use_kuserok);
Petr Lautrbach 84822b
 	M_CP_INTOPT(rekey_limit);
Petr Lautrbach 84822b
 	M_CP_INTOPT(rekey_interval);
Jakub Jelen 5b55d0
 	M_CP_INTOPT(log_level);
Jakub Jelen 6cf9b8
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
Jakub Jelen 5b55d0
 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
Jakub Jelen 5b55d0
 # endif
Jakub Jelen 808908
 	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
Jan F. Chadima 69dd72
+	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
Jakub Jelen 5b55d0
 #endif
Jakub Jelen 5b55d0
 #ifdef GSSAPI
Jakub Jelen 5b55d0
	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
Jakub Jelen 6cf9b8
--- openssh-7.4p1/servconf.h.kuserok	2016-12-23 14:36:07.630465944 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/servconf.h	2016-12-23 14:36:07.645465936 +0100
Jakub Jelen 5b55d0
@@ -118,6 +118,7 @@ typedef struct {
Jakub Jelen 5b55d0
 						 * authenticated with Kerberos. */
Jakub Jelen 808908
 	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
Jakub Jelen 117678
 						 * be stored in per-session ccache */
Jan F. Chadima 69dd72
+	int	use_kuserok;
Jakub Jelen 5b55d0
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
Jakub Jelen 5b55d0
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
Jakub Jelen 5b55d0
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.5.kuserok	2016-12-23 14:36:07.637465940 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:14:03.117162222 +0100
Jakub Jelen 6cf9b8
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
Jakub Jelen 808908
 .Cm no
Jakub Jelen 808908
 can lead to overwriting previous tickets by subseqent connections to the same
Jakub Jelen 808908
 user account.
Jan F. Chadima 69dd72
+.It Cm KerberosUseKuserok
Jan F. Chadima 69dd72
+Specifies whether to look at .k5login file for user's aliases.
Jan F. Chadima 69dd72
+The default is
Jakub Jelen 6cf9b8
+.Cm yes .
Jan F. Chadima 69dd72
 .It Cm KexAlgorithms
Jan F. Chadima 69dd72
 Specifies the available KEX (Key Exchange) algorithms.
Jan F. Chadima 69dd72
 Multiple algorithms must be comma-separated.
Jakub Jelen 6cf9b8
@@ -1078,6 +1082,7 @@ Available keywords are
Jakub Jelen 132f8f
 .Cm IPQoS ,
Jan F. Chadima 69dd72
 .Cm KbdInteractiveAuthentication ,
Jan F. Chadima 69dd72
 .Cm KerberosAuthentication ,
Jan F. Chadima 69dd72
+.Cm KerberosUseKuserok ,
Jakub Jelen 5b55d0
 .Cm LogLevel ,
Jan F. Chadima 69dd72
 .Cm MaxAuthTries ,
Jan F. Chadima 69dd72
 .Cm MaxSessions ,
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.kuserok	2016-12-23 14:36:07.631465943 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config	2016-12-23 14:36:07.646465935 +0100
Jakub Jelen 6cf9b8
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
Jakub Jelen 3f5513
 #KerberosOrLocalPasswd yes
Jakub Jelen 3f5513
 #KerberosTicketCleanup yes
Jakub Jelen 3f5513
 #KerberosGetAFSToken no
Jakub Jelen 3f5513
+#KerberosUseKuserok yes
Jakub Jelen 3f5513
 
Jakub Jelen 3f5513
 # GSSAPI options
Jakub Jelen 51f5c1
 #GSSAPIAuthentication no