Sorry about how long it took me to investigate this report.

"R. Scott Bailey" <[EMAIL PROTECTED]> writes:

> Package: libpam-krb5
> Version: 3.5-1.1
> Severity: normal

> Don't panic over the version. :-) This is package 3.5-1 with some local 
> instrumenting added in an attempt to understand what is going on.

> Documentation claims:

> "If the username provided to PAM contains an "@" and Kerberos can,
> treating the username as a principal, map it to a local account
> name, pam_authenticate() will change the PAM user to that local
> account name."

> This does not actually happen, and I can't figure out why. I have
> attached /var/log/auth.log excerpts of login attempts (with "debug"
> option specified) -- my version adds a few extra lines of information so
> you can see what is happening with canonicalize_name()... Also note
> these attempts were via telnet on the loopback interface and not
> OpenSSH, in case that makes a difference.

Yes, it does.  It turns out that OpenSSH doesn't support this at all.  But
that was only one problem.  The other problem was that pam-krb5 was
canonicalizing the user far too late and was using the uncanonicalized
name in various other places.

I'd not really tested this feature to the extent that I should have.  I've
now gone back and remedied that problem and fixed a variety of bugs in the
feature and it should work properly in pam-krb5 3.6, which I hope to
release later this evening.

Thank you very much for your report and analysis!

-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to