- add option to switch out krb5_kuserok

openssh-5.5p1-kuserok.patch

@@ -0,0 +1,132 @@
+diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c
+--- openssh-5.5p1/auth-krb5.c.kuserok	2010-06-08 11:40:10.000000000 +0200
++++ openssh-5.5p1/auth-krb5.c	2010-06-08 11:40:11.000000000 +0200
+@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c
+ 	if (problem)
+ 		goto out;
+ 
+-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+-		problem = -1;
+-		goto out;
++	if (options.use_kuserok) {
++		if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
++			problem = -1;
++			goto out;
++		}
+ 	}
+ 
+ 	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
+--- openssh-5.5p1/servconf.c.kuserok	2010-06-08 11:40:10.000000000 +0200
++++ openssh-5.5p1/servconf.c	2010-06-08 11:46:20.000000000 +0200
+@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions 
+ 	options->zero_knowledge_password_authentication = -1;
+ 	options->revoked_keys_file = NULL;
+ 	options->trusted_user_ca_keys = NULL;
++	options->use_kuserok = -1;
+ }
+ 
+ void
+@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption
+ 	if (use_privsep == -1)
+ 		use_privsep = 1;
+ 
++	if (options->use_kuserok == -1)
++		options->use_kuserok = 1;
+ #ifndef HAVE_MMAP
+ 	if (use_privsep && options->compression == 1) {
+ 		error("This platform does not support both privilege "
+@@ -306,7 +309,7 @@ typedef enum {
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sRhostsRSAAuthentication, sRSAAuthentication,
+ 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+-	sKerberosGetAFSToken,
++	sKerberosGetAFSToken, sKerberosUseKuserok,
+ 	sKerberosTgtPassing, sChallengeResponseAuthentication,
+ 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+ 	sListenAddress, sAddressFamily,
+@@ -376,11 +379,13 @@ static struct {
+ #else
+ 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+ #endif
++	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
+ #else
+ 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
++	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
+ #endif
+ 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
+@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions
+ 		*activep = value;
+ 		break;
+ 
++	case sKerberosUseKuserok:
++		intptr = &options->use_kuserok;
++		goto parse_flag;
++
+ 	case sPermitOpen:
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d
+ 	M_CP_INTOPT(x11_use_localhost);
+ 	M_CP_INTOPT(max_sessions);
+ 	M_CP_INTOPT(max_authtries);
++	M_CP_INTOPT(use_kuserok);
+ 
+ 	M_CP_STROPT(banner);
+ 	if (preauth)
+@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sUseDNS, o->use_dns);
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
++	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ 
+ 	/* string arguments */
+ 	dump_cfg_string(sPidFile, o->pid_file);
+diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h
+--- openssh-5.5p1/servconf.h.kuserok	2010-06-08 11:40:10.000000000 +0200
++++ openssh-5.5p1/servconf.h	2010-06-08 11:40:11.000000000 +0200
+@@ -157,6 +157,7 @@ typedef struct {
+ 
+ 	int	num_permitted_opens;
+ 
++	int	use_kuserok;
+ 	char   *chroot_directory;
+ 	char   *revoked_keys_file;
+ 	char   *trusted_user_ca_keys;
+diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5
+--- openssh-5.5p1/sshd_config.5.kuserok	2010-06-08 11:40:10.000000000 +0200
++++ openssh-5.5p1/sshd_config.5	2010-06-08 11:40:11.000000000 +0200
+@@ -519,6 +519,10 @@ Specifies whether to automatically destr
+ file on logout.
+ The default is
+ .Dq yes .
++.It Cm KerberosUseKuserok
++Specifies whether to look at .k5login file for user's aliases.
++The default is
++.Dq yes .
+ .It Cm KeyRegenerationInterval
+ In protocol version 1, the ephemeral server key is automatically regenerated
+ after this many seconds (if it has been used).
+@@ -644,6 +648,7 @@ Available keywords are
+ .Cm HostbasedAuthentication ,
+ .Cm KbdInteractiveAuthentication ,
+ .Cm KerberosAuthentication ,
++.Cm KerberosUseKuserok ,
+ .Cm MaxAuthTries ,
+ .Cm MaxSessions ,
+ .Cm PasswordAuthentication ,
+diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config
+--- openssh-5.5p1/sshd_config.kuserok	2010-06-08 11:40:10.000000000 +0200
++++ openssh-5.5p1/sshd_config	2010-06-08 11:40:11.000000000 +0200
+@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
++#KerberosUseKuserok yes
+ 
+ # GSSAPI options
+ #GSSAPIAuthentication no

openssh.spec

@@ -70,7 +70,7 @@
 %endif
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_rel 12
+%define openssh_rel 13
 %define openssh_ver 5.5p1
 %define pam_ssh_agent_rel 26
 %define pam_ssh_agent_ver 0.9.2
@@ -130,6 +130,7 @@ Patch74: openssh-5.3p1-randclean.patch
 Patch76: openssh-5.5p1-staterr.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1750
 Patch77: openssh-5.5p1-stderr.patch
+Patch78: openssh-5.5p1-kuserok.patch
 
 License: BSD
 Group: Applications/Internet
@@ -301,6 +302,7 @@ popd
 %patch74 -p1 -b .randclean
 %patch76 -p1 -b .staterr
 %patch77 -p1 -b .stderr
+%patch78 -p1 -b .kuserok
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -582,6 +584,9 @@ fi
 %endif
 
 %changelog
+* Tue Jun  8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-13 + 0.9.2-26
+- add option to switch out krb5_kuserok
+
 * Fri May 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-12 + 0.9.2-26
 - synchronize uid and gid for the user sshd