Ticket #500 (accepted task)
Get the dialup patched sshd into upstream
Reported by: | jdreed | Owned by: | achernya |
---|---|---|---|
Priority: | normal | Milestone: | Upstream Utopia |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
See #495 for context.
Ops has a patch to ssh to fallback to keyboard-interactive if the user attempts GSSAPI with non-forwardable tickets.
Mark Manley was working on a more complete patch to make this a configurable option.
We should try to get it into upstream.
Change History
comment:2 Changed 14 years ago by geofft
The code is in /mit/dialup/src/openssh-5.3p1, with changes in RCS. The operative bit appears to be the following in gss-serv-krb5.c:
@@ -91,6 +115,15 @@ if (ssh_gssapi_krb5_init() == 0) return 0; + /* If this isn't a local account and the user hasn't specified + * ticket forwarding, fail through to password authentication. + * The shell the user gets won't be useful without tickets anyway. + */ + if (!is_local_user(name) && !client->creds) { + logit("%s is not a local user and did not forward tickets.",name); + return 0; + } + if ((retval = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { logit("krb5_parse_name(): %.100s",
is_local_user currently just checks if you're root, with a comment implying this is kind of lame. It is -- it should check if the user is in nss-local-users (or not in nss-nonlocal-users), on a system with nss_nonlocal.
As far as upstream configurability since people outside Debathena generally will not be running nss_nonlocal, I suppose the right thing to do about the is_local_user business is to turn the proposed "GSSAPIRequireDelegatedCredentials yes" boolean config option into something like a "GSSAPIRequireDelegatedCredentialsFor nss-nonlocal-users" one, where you can specify a group that will trigger this code if it shows up in getgrouplist(name).
I mentioned this to Simon Wilkinson over zephyr and he said, "I would be interested in a patch to add that behaviour, providing it was configurable. I am the upstream for Debian."