f2c3d6e19a
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-4.3p2-askpass-grab-info.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.1p1-askpass-progress.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.9p1-ipv6man.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.3p1-ctr-evp-fast.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.4p1-fromto-remote.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-scp-non-existing-directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-selinux-contexts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-allow-ip-opts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-force_krb.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-GSSAPIEnablek5users.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keyperm.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-kuserok.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-privsep-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-sftp-force-permission.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.8p1-sshdT-output.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.1p2-audit-race-condition.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-k5login_directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-s390-closefrom.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-x11.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.5p1-sandbox.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-audit.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-cleanup-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-scp-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-gssapi-keyex.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-keygen-strip-doseol.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-evp.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-kdf.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-preserve-pam-errors.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-x11-without-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.7p1-scp-kill-switch.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-compat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-dereference.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.3-seteuid.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.2-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-agent_structure.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-build.patch
92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
diff --git a/auth-krb5.c b/auth-krb5.c
|
|
index 2b02a04..19b9364 100644
|
|
--- a/auth-krb5.c
|
|
+++ b/auth-krb5.c
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
|
|
@@ -375,5 +375,21 @@ cleanup:
|
|
return (krb5_cc_resolve(ctx, ccname, ccache));
|
|
}
|
|
}
|
|
+
|
|
+/*
|
|
+ * Reads k5login_directory option from the krb5.conf
|
|
+ */
|
|
+krb5_error_code
|
|
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
|
|
+ profile_t p;
|
|
+ int ret = 0;
|
|
+
|
|
+ ret = krb5_get_profile(ctx, &p);
|
|
+ if (ret)
|
|
+ return ret;
|
|
+
|
|
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
|
+ k5login_directory);
|
|
+}
|
|
#endif /* !HEIMDAL */
|
|
#endif /* KRB5 */
|
|
diff --git a/auth.h b/auth.h
|
|
index f9d191c..c432d2f 100644
|
|
--- a/auth.h
|
|
+++ b/auth.h
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
|
|
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
|
|
|
|
#if defined(KRB5) && !defined(HEIMDAL)
|
|
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
|
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
|
+ char **k5login_directory);
|
|
#endif
|
|
|
|
#endif /* AUTH_H */
|
|
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
|
index a7c0c5f..df8cc9a 100644
|
|
--- a/gss-serv-krb5.c
|
|
+++ b/gss-serv-krb5.c
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
|
|
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
|
|
{
|
|
char file[MAXPATHLEN];
|
|
struct passwd *pw = the_authctxt->pw;
|
|
+ char *k5login_directory = NULL;
|
|
+ int ret = 0;
|
|
+
|
|
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
|
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
|
+ if (k5login_directory == NULL || ret != 0) {
|
|
+ /* If not set, the library will look for k5login
|
|
+ * files in the user's home directory, with the filename .k5login.
|
|
+ */
|
|
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
|
+ } else {
|
|
+ /* If set, the library will look for a local user's k5login file
|
|
+ * within the named directory, with a filename corresponding to the
|
|
+ * local username.
|
|
+ */
|
|
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
|
|
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
|
+ pw->pw_name);
|
|
+ }
|
|
+ debug_f("Checking existence of file %s", file);
|
|
|
|
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
|
return access(file, F_OK) == 0;
|
|
}
|
|
|
|
diff --git a/sshd.8 b/sshd.8
|
|
index 5c4f15b..135e290 100644
|
|
--- a/sshd.8
|
|
+++ b/sshd.8
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
|
|
@@ -806,6 +806,10 @@ rlogin/rsh.
|
|
These files enforce GSSAPI/Kerberos authentication access control.
|
|
Further details are described in
|
|
.Xr ksu 1 .
|
|
+The location of the k5login file depends on the configuration option
|
|
+.Cm k5login_directory
|
|
+in the
|
|
+.Xr krb5.conf 5 .
|
|
.Pp
|
|
.It Pa ~/.ssh/
|
|
This directory is the default location for all user-specific configuration
|