|
 |
943807 |
diff --git a/auth-krb5.c b/auth-krb5.c
|
|
|
943807 |
index 2b02a04..19b9364 100644
|
|
|
943807 |
--- a/auth-krb5.c
|
|
|
943807 |
+++ b/auth-krb5.c
|
|
|
943807 |
@@ -375,5 +375,21 @@ cleanup:
|
|
|
943807 |
return (krb5_cc_resolve(ctx, ccname, ccache));
|
|
|
943807 |
}
|
|
|
943807 |
}
|
|
|
943807 |
+
|
|
|
943807 |
+/*
|
|
|
943807 |
+ * Reads k5login_directory option from the krb5.conf
|
|
|
943807 |
+ */
|
|
|
943807 |
+krb5_error_code
|
|
|
943807 |
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
|
|
|
943807 |
+ profile_t p;
|
|
|
943807 |
+ int ret = 0;
|
|
|
943807 |
+
|
|
|
943807 |
+ ret = krb5_get_profile(ctx, &p);
|
|
|
943807 |
+ if (ret)
|
|
|
943807 |
+ return ret;
|
|
|
943807 |
+
|
|
|
943807 |
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
|
|
943807 |
+ k5login_directory);
|
|
|
943807 |
+}
|
|
|
943807 |
#endif /* !HEIMDAL */
|
|
|
943807 |
#endif /* KRB5 */
|
|
|
943807 |
diff --git a/auth.h b/auth.h
|
|
|
943807 |
index f9d191c..c432d2f 100644
|
|
|
943807 |
--- a/auth.h
|
|
|
943807 |
+++ b/auth.h
|
|
|
943807 |
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
|
|
|
943807 |
|
|
|
943807 |
#if defined(KRB5) && !defined(HEIMDAL)
|
|
|
943807 |
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
|
|
943807 |
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
|
|
943807 |
+ char **k5login_directory);
|
|
|
943807 |
#endif
|
|
|
943807 |
|
|
|
943807 |
#endif /* AUTH_H */
|
|
|
943807 |
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
|
|
943807 |
index a7c0c5f..df8cc9a 100644
|
|
|
943807 |
--- a/gss-serv-krb5.c
|
|
|
943807 |
+++ b/gss-serv-krb5.c
|
|
|
943807 |
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
|
|
|
943807 |
{
|
|
|
943807 |
char file[MAXPATHLEN];
|
|
|
943807 |
struct passwd *pw = the_authctxt->pw;
|
|
|
943807 |
+ char *k5login_directory = NULL;
|
|
|
943807 |
+ int ret = 0;
|
|
|
943807 |
+
|
|
|
943807 |
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
|
|
943807 |
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
|
|
943807 |
+ if (k5login_directory == NULL || ret != 0) {
|
|
|
943807 |
+ /* If not set, the library will look for k5login
|
|
|
943807 |
+ * files in the user's home directory, with the filename .k5login.
|
|
|
943807 |
+ */
|
|
|
943807 |
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
|
|
943807 |
+ } else {
|
|
|
943807 |
+ /* If set, the library will look for a local user's k5login file
|
|
|
943807 |
+ * within the named directory, with a filename corresponding to the
|
|
|
943807 |
+ * local username.
|
|
|
943807 |
+ */
|
|
|
943807 |
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
|
|
|
943807 |
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
|
|
943807 |
+ pw->pw_name);
|
|
|
943807 |
+ }
|
|
|
943807 |
+ debug_f("Checking existence of file %s", file);
|
|
|
943807 |
|
|
|
943807 |
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
|
|
943807 |
return access(file, F_OK) == 0;
|
|
|
943807 |
}
|
|
|
943807 |
|
|
|
943807 |
diff --git a/sshd.8 b/sshd.8
|
|
|
943807 |
index 5c4f15b..135e290 100644
|
|
|
943807 |
--- a/sshd.8
|
|
|
943807 |
+++ b/sshd.8
|
|
|
943807 |
@@ -806,6 +806,10 @@ rlogin/rsh.
|
|
|
943807 |
These files enforce GSSAPI/Kerberos authentication access control.
|
|
|
943807 |
Further details are described in
|
|
|
943807 |
.Xr ksu 1 .
|
|
|
943807 |
+The location of the k5login file depends on the configuration option
|
|
|
943807 |
+.Cm k5login_directory
|
|
|
943807 |
+in the
|
|
|
943807 |
+.Xr krb5.conf 5 .
|
|
|
943807 |
.Pp
|
|
|
943807 |
.It Pa ~/.ssh/
|
|
|
943807 |
This directory is the default location for all user-specific configuration
|