On Wed, 2009-07-08 at 13:41 +0200, Michal Hlavinka wrote:
I guess this fixes it again: http://hg.dovecot.org/dovecot-1.2/rev/f4ff64dd79a9
We've tested dovecot with all four available patches (it means up to date mech-gssapi.c ) and it wokrs.
I've been talking with the main Heimdal guy and he thinks that kind of checking is scary bad.
One thing that should change at least is that gss_display_name() shouldn't be passed to krb5_parse_name(). Instead gss_export_name() should be used and its results checked and passed to krb5_parse_name() (OpenSSH does this too). But I don't know if that would solve the original problem that required me to add the patch mentioned above.
One thing I'm not really sure about in Kerberos is, does both MIT and Heimdal require that you are using system users and to have NSS set up in a way that Kerberos code can look up users with getpw*() functions? I think that's the main thing that krb5_kuserok() does that gss_compare_name() doesn't. But does Kerberos do the same check elsewhere and this isn't really a problem after all? If it doesn't check user's existence elsewhere, maybe I could just use gss_export_name()s and compare them instead of display names?..