Check for real location of .k5login file (#1328243)

openssh-7.2p2-k5login_directory.patch

@@ -0,0 +1,87 @@
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 2b02a04..19b9364 100644
+--- a/auth-krb5.c
++++ b/auth-krb5.c
+@@ -375,6 +375,22 @@ cleanup:
+ 	return -1;
+ }
+ 
++/*
++ * Reads  k5login_directory  option from the  krb5.conf
++ */
++krb5_error_code
++ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
++	profile_t p;
++	int ret = 0;
++
++	ret = krb5_get_profile(ctx, &p);
++	if (ret)
++		return ret;
++
++	return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
++		k5login_directory);
++}
++
+ krb5_error_code
+ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ 	profile_t p;
+diff --git a/auth.h b/auth.h
+index f9d191c..c432d2f 100644
+--- a/auth.h
++++ b/auth.h
+@@ -222,5 +222,7 @@ int	 sys_auth_passwd(Authctxt *, const char *);
+ #if defined(KRB5) && !defined(HEIMDAL)
+ #include <krb5.h>
+ krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
++krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
++	char **k5login_directory);
+ #endif
+ #endif
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index a7c0c5f..df8cc9a 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
+ {
+ 	char file[MAXPATHLEN];
+ 	struct passwd *pw = the_authctxt->pw;
++	char *k5login_directory = NULL;
++	int ret = 0;
++
++	ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
++	debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
++	if (k5login_directory == NULL || ret != 0) {
++		/* If not set, the library will look for  k5login
++		 * files in the user's home directory, with the filename  .k5login.
++		 */
++		snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
++	} else {
++		/* If set, the library will look for a local user's k5login file
++		 * within the named directory, with a filename corresponding to the
++		 * local username.
++		 */
++		snprintf(file, sizeof(file), "%s%s%s", k5login_directory, 
++			k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
++			pw->pw_name);
++	}
++	debug("%s: Checking existence of file %s", __func__, file);
+ 
+-	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
+ 	return access(file, F_OK) == 0;
+ }
+ 
+diff --git a/sshd.8 b/sshd.8
+index 5c4f15b..135e290 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -806,6 +806,10 @@ rlogin/rsh.
+ These files enforce GSSAPI/Kerberos authentication access control.
+ Further details are described in
+ .Xr ksu 1 .
++The location of the k5login file depends on the configuration option
++.Cm k5login_directory
++in the
++.Xr krb5.conf 5 .
+ .Pp
+ .It Pa ~/.ssh/
+ This directory is the default location for all user-specific configuration

openssh.spec

@@ -178,12 +178,14 @@ Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
 # Documentation about GSSAPI
 # from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
 Patch803: openssh-7.1p1-gssapi-documentation.patch
+# use default_ccache_name from /etc/krb5.conf (#991186)
+Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
+# Respect k5login_directory option in krk5.conf (#1328243)
+Patch805: openssh-7.2p2-k5login_directory.patch
 
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
 Patch901: openssh-6.6p1-kuserok.patch
-# use default_ccache_name from /etc/krb5.conf (#991186)
-Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
 # Use tty allocation for a remote scp (#985650)
 Patch906: openssh-6.4p1-fromto-remote.patch
 # set a client's address right after a connection is set
@@ -443,10 +445,11 @@ popd
 %patch800 -p1 -b .gsskex
 %patch801 -p1 -b .force_krb
 %patch803 -p1 -b .gss-docs
+%patch804 -p1 -b .ccache_name
+%patch805 -p1 -b .k5login
 # 
 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok
-%patch902 -p1 -b .ccache_name
 %patch906 -p1 -b .fromto-remote
 %patch911 -p1 -b .set_remote_ipaddr
 %patch912 -p1 -b .utf8-banner