On Tue, 07 Jul 2009 20:27:57 -0400 Timo Sirainen <t...@iki.fi> wrote:
> On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote: > > Attached is a patch which in my environment (Linux/Heimdal 1.2.1) > > fixes cross-realm GSSAPI authentication. > > > > Changes it makes: > > 1. When using krb5_kuserok, do not call gss_compare_name to check > > that authn_name and authz_name are the same. Instead, make TWO > > calls to krb5_kuserok, one for each ID. If both IDs are > > acceptable, allow the login. > > I'm just wondering. Is the authz_name check really necessary? > Simplified, the code is basically: > > krb5_parse_name(ctx, username, &princ); > ok = krb5_kuserok(ctx, princ, username); > > Are there really situations where the above code produces ok=FALSE? > > Also do you have any ideas why after your patch it fails here: > http://dovecot.org/list/dovecot/2009-June/040672.html > > Maybe instead of always using krb5_userok() it's used only when > authn_name != authz_name? I haven't looked at the source code of krb5_kuserok so I can't say for sure. The issue is that one user can AUTHeNticate and then request AUTHoriZation for a different mailbox (as in, f...@bar.com could be OK for the mailbox f...@baz.com). Your idea of using krb5_kuserok when authn_name != authz_name sounds very good to me - a principal should always be allowed to act in its own name. Perhaps lha should be consulted first, though. I don't know why the case you cite fails - they ARE using MIT Kerberos (Heimdal klist output looks different from what they pasted), so it could be that krb5_kuserok functions differently there. Bryan Jacobs
signature.asc
Description: PGP signature
