[Dovecot] GSSAPI cross-realm fixed
Timo Sirainen
tss at iki.fi
Fri Mar 13 23:47:23 EET 2009
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:
> Changes it makes:
> 1. When using krb5_kuserok, do not call gss_compare_name to check that
> authn_name and authz_name are the same. Instead, make TWO calls to
> krb5_kuserok, one for each ID. If both IDs are acceptable, allow the
> login.
Sounds good.
> 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as
> this doesn't appear to be always the case for the authz_name.
Is there any downside to this check? Can something bad happen if it's
not a principal name? I left the check there now for authn_name.
Committed: http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209
And then I noticed that the last equal_authn_authz check most likely
shouldn't have been changed, so reversed it:
http://hg.dovecot.org/dovecot-1.2/rev/601e0382b442
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090313/d17b0531/attachment.bin
More information about the dovecot
mailing list