Ticket #500 (accepted task)

Opened 15 years ago

Last modified 14 years ago

Get the dialup patched sshd into upstream

Reported by: jdreed Owned by: achernya
Priority: normal Milestone: Upstream Utopia
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

See #495 for context.

Ops has a patch to ssh to fallback to keyboard-interactive if the user attempts GSSAPI with non-forwardable tickets.

Mark Manley was working on a more complete patch to make this a configurable option.

We should try to get it into upstream.

Change History

comment:1 Changed 15 years ago by asedeno

I mentioned this to Simon Wilkinson over zephyr and he said, "I would be interested in a patch to add that behaviour, providing it was configurable. I am the upstream for Debian."

comment:2 Changed 14 years ago by geofft

The code is in /mit/dialup/src/openssh-5.3p1, with changes in RCS. The operative bit appears to be the following in gss-serv-krb5.c:

@@ -91,6 +115,15 @@
        if (ssh_gssapi_krb5_init() == 0)
                return 0;
 
+        /* If this isn't a local account and the user hasn't specified
+         * ticket forwarding, fail through to password authentication.
+         * The shell the user gets won't be useful without tickets anyway.
+         */
+        if (!is_local_user(name) && !client->creds) {
+               logit("%s is not a local user and did not forward tickets.",name);
+                return 0;
+       }
+
        if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
            &princ))) {
                logit("krb5_parse_name(): %.100s",

is_local_user currently just checks if you're root, with a comment implying this is kind of lame. It is -- it should check if the user is in nss-local-users (or not in nss-nonlocal-users), on a system with nss_nonlocal.

As far as upstream configurability since people outside Debathena generally will not be running nss_nonlocal, I suppose the right thing to do about the is_local_user business is to turn the proposed "GSSAPIRequireDelegatedCredentials yes" boolean config option into something like a "GSSAPIRequireDelegatedCredentialsFor nss-nonlocal-users" one, where you can specify a group that will trigger this code if it shows up in getgrouplist(name).

comment:3 Changed 14 years ago by achernya

  • Status changed from new to accepted
  • Owner set to achernya

 Patch Created

No boolean variable in this version, if the configuration option for the group is not specified this behaviour is disabled.

Note: See TracTickets for help on using tickets.