3 Mar
2009
3 Mar
'09
8:56 p.m.
Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication.
Changes it makes: this doesn't appear to be always the case for the authz_name.
- When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login.
- Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as
If I create a .k5login listing both username@REALM1 and username@REALM2, and make that file follow the appropriate security restrictions (world read, user only write permissions), this lets me use GSSAPI logins with principals from either REALM1 or REALM2.
This leaves untouched the behavior in the case where krb5_kuserok is not available.
Bryan Jacobs