Processing .k5login (another patch)

Roland C. Dowdeswell elric at imrryr.org
Wed Sep 1 16:07:50 EDT 2010 

It is not always appropriate for users to be able to decide who is
allowed to login to their accounts.  I propose a krb5.conf setting
to disable this called ``use-k5login'' which defaults to the current
behaviour.

Here's the patch:

Index: os/kuserok.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/os/kuserok.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 kuserok.c
--- os/kuserok.c	16 Aug 2005 19:52:00 -0000	1.1.1.2
+++ os/kuserok.c	1 Sep 2010 20:02:47 -0000
@@ -59,6 +59,20 @@
  *
  */
 
+static krb5_boolean KRB5_CALLCONV
+krb5_kuserok_an2ln(krb5_context ctx, krb5_principal princ, const char *luser)
+{
+    char kuser[MAX_USERNAME];
+
+    if (!krb5_aname_to_localname(ctx, princ, sizeof(kuser), kuser))
+	return FALSE;
+
+    if (!strcmp(kuser, luser))
+	return TRUE;
+
+    return FALSE;
+}
+
 krb5_boolean KRB5_CALLCONV
 krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser)
 {
@@ -72,12 +86,20 @@
     char linebuf[BUFSIZ];
     char *newline;
     int gobble;
+    int use_k5login;
 
     /* no account => no access */
     char pwbuf[BUFSIZ];
     struct passwd pwx;
     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
 	return(FALSE);
+
+    profile_get_boolean(context->profile, "libdefaults",
+                        "use-k5login", 0, 1, &use_k5login);
+
+    if (!use_k5login)
+	return krb5_kuserok_an2ln(context, principal, luser);
+
     (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
     pbuf[sizeof(pbuf) - 1] = '\0';
     (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
@@ -89,12 +111,9 @@
 	 * krb5_aname_to_localname to convert the principal to a name
 	 * which we can string compare. 
 	 */
-	if (!(krb5_aname_to_localname(context, principal,
-				      sizeof(kuser), kuser))
-	    && (strcmp(kuser, luser) == 0)) {
-	    return(TRUE);
-	}
+	return krb5_kuserok_an2ln(context, principal, luser);
     }
+
     if (krb5_unparse_name(context, principal, &princname))
 	return(FALSE);			/* no hope of matching */
 

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list