[Dovecot] GSSAPI cross-realm fixed

Bryan Jacobs no at landwarsin.asia
Tue Mar 3 20:56:52 EET 2009


Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes
cross-realm GSSAPI authentication.

Changes it makes:
1.  When using krb5_kuserok, do not call gss_compare_name to check that
authn_name and authz_name are the same.  Instead, make TWO calls to
krb5_kuserok, one for each ID.  If both IDs are acceptable, allow the
login.
2.  Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as
this doesn't appear to be always the case for the authz_name.

If I create a .k5login listing both username at REALM1 and
username at REALM2, and make that file follow the appropriate security
restrictions (world read, user only write permissions), this lets me
use GSSAPI logins with principals from either REALM1 or REALM2.

This leaves untouched the behavior in the case where krb5_kuserok is
not available.

Bryan Jacobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userok.patch
Type: text/x-patch
Size: 2644 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090303/4fe4b3ae/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090303/4fe4b3ae/attachment-0003.bin 


More information about the dovecot mailing list