#2788 Allow fallback to default krb5_kuserok() implementation for root user from localauth plugin
Closed: Fixed None Opened 7 years ago by abbra.

Due to a missing condition for a root user in SSSD's implementation of localauth plugin for MIT Kerberos, users whose Kerberos principals are specified in /root/.k5login cannot login with GSSAPI to root account over ssh.

SSH server will call krb5_kuserok() after successful authentication to transform the authenticated principals' name to local user name and check whether it is allowed to login. SSSD implements localauth plugin that provides a userok() implementation but it does not take root user case into account. It needs to return KRB5_PLUGIN_NO_HANDLE error code for this case so that a default check in ~/.k5login would continue.

An ltrace excerpt for sshd login to root with GSSAPI looks like this:

26481 krb5_init_context(0x55a3e3e914f0, 0x55a3e4a74460, 1, 0x7fd12cecc620)                                 = 0
26481 krb5_parse_name(0x55a3e4a8f840, 0x55a3e4a95e20, 0x7ffce9d89fc0, 0)                                   = 0
26481 __snprintf_chk(0x7ffce9d88fa0, 4096, 1, 4096)                                                        = 14
26481 access("/root/.k5login", 0)                                                                          = 0
26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1)                                      = 0
26481 __snprintf_chk(0x7ffce9d86f70, 4096, 1, 4096)                                                        = 14
26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1)                                      = 0
26481 krb5_free_principal(0x55a3e4a8f840, 0x55a3e4a937a0, 0, 0)                                            = 0
26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91480, 0, 0)                                             = 0
26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91490, 0, 0x7fd12d193b28)                                = 0
26481 gss_release_cred(0x7ffce9d8a004, 0x55a3e3e914a0, 0, 0x7fd12d193b28)                                  = 0

Notice krb5_kuserok() returning 0 (FALSE), e.g. principal is not accepted while I have in my /root/.k5login following:

[root@m1 ~]# cat .k5login 
admin@EXAMPLE.COM

Notice also that /root/.k5login is never read which means localauth plugin k5login is not called.


This is related to ticket #2707

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

Fields changed

rhbz: => todo

Fields changed

owner: somebody => lslebodn
patch: 0 => 1
status: new => assigned

Since there is a patch available, moving to 1.14 alpha.

milestone: SSSD 1.14 beta => SSSD 1.14 alpha

The patches are on review, but I would like to release 1.14 alpha today, therefore moving to 1.14.0

milestone: SSSD 1.14 alpha => SSSD 1.14.0

The original patch was nacked on the devel list, moving to triage to decide what to do with this ticket.

milestone: SSSD 1.14.0 => NEEDS_TRIAGE

We already did some improvements to the localauth plugin logic, this ticket is an incremental improvement.

milestone: NEEDS_TRIAGE => SSSD 1.16 beta

Fields changed

milestone: SSSD 1.16 beta => SSSD 1.14.0

resolution: => fixed
status: assigned => closed

Metadata Update from @abbra:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.14.0

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3829

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata