MAX_USERNAME in krb5_kuserok
Keith Milligan
kmilligan at locusdiscovery.com
Tue Dec 3 20:26:18 EST 2002
I recently upgraded to RedHat 8 on one of my boxes (which uses pam_krb5
1.56) and noticed that accounts with character names 10 or greater could
no longer log on. It looks like the newer versions of pam_krb5 make a
call krb5_kuserok, which is where the authentication fails. I took a
look at this source code and found that there was a MAX_USERNAME of 10
defined in that file. Does anyone know if this is a value that would be
reasonable to increase, since many systems support user IDs of length
greater than 10 characters, and many admins need to do this to keep Unix
accounts identical to typically longer NT logins?
I've included the bits of code below. It's failing on the
krb5_aname_to_localname call with the error "Insufficient space to
return complete information".
Thanks for any insight you can provide.
>From the file src/lib/krb5/os/kuserok.c:
.
.
.
#define MAX_USERNAME 10
.
.
.
krb5_kuserok(context, principal, luser)
krb5_context context;
krb5_principal principal;
const char *luser;
{
.
.
.
char kuser[MAX_USERNAME];
.
.
.
if (access(pbuf, F_OK)) { /* not accessible */
/*
* if he's trying to log in as himself, and there is no .k5login
file,
* let him. To find out, call
* krb5_aname_to_localname to convert the principal to a name
* which we can string compare.
*/
if (!(krb5_aname_to_localname(context, principal,
sizeof(kuser), kuser))
&& (strcmp(kuser, luser) == 0)) {
return(TRUE);
}
}
.
.
.
}
--
Keith Milligan <kmilligan at locusdiscovery.com>
Locus Discovery Inc
More information about the Kerberos
mailing list