[Dovecot] GSSAPI cross-realm fixed
Timo Sirainen
tss at iki.fi
Wed Jul 8 03:27:57 EEST 2009
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:
> Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes
> cross-realm GSSAPI authentication.
>
> Changes it makes:
> 1. When using krb5_kuserok, do not call gss_compare_name to check that
> authn_name and authz_name are the same. Instead, make TWO calls to
> krb5_kuserok, one for each ID. If both IDs are acceptable, allow the
> login.
I'm just wondering. Is the authz_name check really necessary?
Simplified, the code is basically:
krb5_parse_name(ctx, username, &princ);
ok = krb5_kuserok(ctx, princ, username);
Are there really situations where the above code produces ok=FALSE?
Also do you have any ideas why after your patch it fails here:
http://dovecot.org/list/dovecot/2009-June/040672.html
Maybe instead of always using krb5_userok() it's used only when
authn_name != authz_name?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090707/548f1886/attachment.bin
More information about the dovecot
mailing list