SSSD / sssd

Clone

fedfb7c KRB5: Send the output username, not internal fqname to krb5_child

4 files Authored by jhrozek 7 years ago, Committed by lslebodn 7 years ago,
raw patch tree parent
4 files changed. 30 lines added. 11 lines removed.
src/providers/krb5/krb5_access.c
file modified
+8 -2
src/providers/krb5/krb5_auth.c
file modified
+14 -4
src/providers/krb5/krb5_auth.h
file modified
+6 -3
src/providers/krb5/krb5_child_handler.c
file modified
+2 -2 
    KRB5: Send the output username, not internal fqname to krb5_child
    
    krb5_child calls krb5_kuserok() during the access phase which checks if
    a particular user is allowed to authenticate as a particular principal.
    We used to pass the internal fqname to krb5_kuserok() which broke the
    functionality and all users were denied access.
    
    This patch changes that to send the 'output' username to krb5_child,
    because that's the username the system receives through getpwnam() or
    getpwuid() anyway. The patch also adds a new structure member fo the
    krb5child_req structure to avoid reusing the pd->user variable but have
    an explicit one that serves as the input for the child process.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/3172
    
    Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
file modified
+8 -2
file modified
+14 -4
file modified
+6 -3
file modified
+2 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.