Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow fallback to default krb5_kuserok() implementation for root user from localauth plugin #3829

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

Allow fallback to default krb5_kuserok() implementation for root user from localauth plugin #3829

sssd-bot opened this issue May 2, 2020 · 0 comments
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2788

Due to a missing condition for a root user in SSSD's implementation of localauth plugin for MIT Kerberos, users whose Kerberos principals are specified in /root/.k5login cannot login with GSSAPI to root account over ssh.

SSH server will call krb5_kuserok() after successful authentication to transform the authenticated principals' name to local user name and check whether it is allowed to login. SSSD implements localauth plugin that provides a userok() implementation but it does not take root user case into account. It needs to return KRB5_PLUGIN_NO_HANDLE error code for this case so that a default check in ~/.k5login would continue.

An ltrace excerpt for sshd login to root with GSSAPI looks like this:

26481 krb5_init_context(0x55a3e3e914f0, 0x55a3e4a74460, 1, 0x7fd12cecc620)                                 = 0
26481 krb5_parse_name(0x55a3e4a8f840, 0x55a3e4a95e20, 0x7ffce9d89fc0, 0)                                   = 0
26481 __snprintf_chk(0x7ffce9d88fa0, 4096, 1, 4096)                                                        = 14
26481 access("/root/.k5login", 0)                                                                          = 0
26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1)                                      = 0
26481 __snprintf_chk(0x7ffce9d86f70, 4096, 1, 4096)                                                        = 14
26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1)                                      = 0
26481 krb5_free_principal(0x55a3e4a8f840, 0x55a3e4a937a0, 0, 0)                                            = 0
26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91480, 0, 0)                                             = 0
26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91490, 0, 0x7fd12d193b28)                                = 0
26481 gss_release_cred(0x7ffce9d8a004, 0x55a3e3e914a0, 0, 0x7fd12d193b28)                                  = 0

Notice krb5_kuserok() returning 0 (FALSE), e.g. principal is not accepted while I have in my /root/.k5login following:

[root@m1 ~]# cat .k5login 
admin@EXAMPLE.COM

Notice also that /root/.k5login is never read which means localauth plugin k5login is not called.

Comments

Comment from jhrozek at 2015-09-17 16:18:24

This is related to ticket #2707

Comment from jhrozek at 2015-09-17 16:25:43

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

Comment from jhrozek at 2015-09-30 14:54:24

Fields changed

rhbz: => todo

Comment from lslebodn at 2016-01-12 15:28:26

Fields changed

owner: somebody => lslebodn
patch: 0 => 1
status: new => assigned

Comment from jhrozek at 2016-01-27 16:03:09

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297462 (Red Hat Enterprise Linux 7)

rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462]

Comment from jhrozek at 2016-02-16 11:46:18

Since there is a patch available, moving to 1.14 alpha.

milestone: SSSD 1.14 beta => SSSD 1.14 alpha

Comment from jhrozek at 2016-06-20 11:57:35

The patches are on review, but I would like to release 1.14 alpha today, therefore moving to 1.14.0

milestone: SSSD 1.14 alpha => SSSD 1.14.0

Comment from jhrozek at 2016-06-28 18:51:34

The original patch was nacked on the devel list, moving to triage to decide what to do with this ticket.

milestone: SSSD 1.14.0 => NEEDS_TRIAGE

Comment from jhrozek at 2016-07-01 16:19:33

We already did some improvements to the localauth plugin logic, this ticket is an incremental improvement.

milestone: NEEDS_TRIAGE => SSSD 1.16 beta

Comment from jhrozek at 2016-07-06 11:58:37

Fields changed

milestone: SSSD 1.16 beta => SSSD 1.14.0

Comment from jhrozek at 2016-07-06 19:17:30

resolution: => fixed
status: assigned => closed

Comment from jhrozek at 2016-11-28 11:51:37

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1240302 (Red Hat Enterprise Linux 7)

rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462] => [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462], [https://bugzilla.redhat.com/show_bug.cgi?id=1240302 1240302]

Comment from abbra at 2017-02-24 14:36:27

Metadata Update from @abbra:

  • Issue assigned to lslebodn
  • Issue set to the milestone: SSSD 1.14.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sssd-bot