Ticket #500 (accepted task)
Get the dialup patched sshd into upstream
| Reported by: | jdreed | Owned by: | achernya |
|---|---|---|---|
| Priority: | normal | Milestone: | Upstream Utopia |
| Component: | -- | Keywords: | |
| Cc: | Fixed in version: | ||
| Upstream bug: |
Description
See #495 for context.
Ops has a patch to ssh to fallback to keyboard-interactive if the user attempts GSSAPI with non-forwardable tickets.
Mark Manley was working on a more complete patch to make this a configurable option.
We should try to get it into upstream.
Change History
comment:2 Changed 14 years ago by geofft
The code is in /mit/dialup/src/openssh-5.3p1, with changes in RCS. The operative bit appears to be the following in gss-serv-krb5.c:
@@ -91,6 +115,15 @@
if (ssh_gssapi_krb5_init() == 0)
return 0;
+ /* If this isn't a local account and the user hasn't specified
+ * ticket forwarding, fail through to password authentication.
+ * The shell the user gets won't be useful without tickets anyway.
+ */
+ if (!is_local_user(name) && !client->creds) {
+ logit("%s is not a local user and did not forward tickets.",name);
+ return 0;
+ }
+
if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
&princ))) {
logit("krb5_parse_name(): %.100s",
is_local_user currently just checks if you're root, with a comment implying this is kind of lame. It is -- it should check if the user is in nss-local-users (or not in nss-nonlocal-users), on a system with nss_nonlocal.
As far as upstream configurability since people outside Debathena generally will not be running nss_nonlocal, I suppose the right thing to do about the is_local_user business is to turn the proposed "GSSAPIRequireDelegatedCredentials yes" boolean config option into something like a "GSSAPIRequireDelegatedCredentialsFor nss-nonlocal-users" one, where you can specify a group that will trigger this code if it shows up in getgrouplist(name).
I mentioned this to Simon Wilkinson over zephyr and he said, "I would be interested in a patch to add that behaviour, providing it was configurable. I am the upstream for Debian."