Page MenuHomeFreeBSD

Heimdal: Patch to permit gss-with-mic to function if ~/.k5login is unreadable
Needs ReviewPublic

Authored by feld on Mar 30 2018, 6:08 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 22 2023, 10:07 PM
Unknown Object (File)
Nov 13 2023, 8:02 AM
Unknown Object (File)
Oct 10 2023, 6:29 PM
Unknown Object (File)
Sep 22 2023, 10:15 AM
Unknown Object (File)
Aug 2 2023, 8:50 AM
Unknown Object (File)
Apr 18 2023, 2:27 PM
Unknown Object (File)
Mar 3 2023, 4:29 PM
Unknown Object (File)
Feb 1 2023, 5:26 PM
Subscribers

Details

Reviewers
zi
bjk
Summary

ssh login with the gssapi-with-mic mechanism will fail with errors if user
home directories are restricted and not world-readable (e.g., 0700).
This patch corrects the issue.

The inability to disable ~/.k5login and ~/.k5login.d checks entirely is a
different shortcoming in Heimdal and not within this scope. The current
behavior in Heimdal retards the ability to enforce company security
policies that prohibit shared user accounts.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 15897
Build 15897: arc lint + arc unit

Event Timeline

As discussed in https://github.com/heimdal/heimdal/issues/368, the k5login file can be used to restrict access, so
I do not think that ignoring EACCESS and EPERM is a change to be taken lightly.

FYI, this affects FreeBSD 11.3 and FreeBSD 12.0 and we've started deploying this patch so we can get a working Kerberos.

We don't patch the OS itself, rather, we take this approach:

  • apply the patch
  • buildworld
  • the patched library is at obj/usr/src/amd64.amd64/kerberos5/lib/libkrb5/libkrb5.so.11
  • install this patched Kerberos library to /usr/local/lib/PICK_A_NAME/libkrb5.so.11
  • create /usr/local/etc/libmap.d/sshd.conf with this content:
[/usr/sbin/sshd]
libkrb5.so.11   /usr/local/lib/PICK_A_NAME/libkrb5.so.11

Profit.

In D14911#313717, @bjk wrote:

As discussed in https://github.com/heimdal/heimdal/issues/368, the k5login file can be used to restrict access, so
I do not think that ignoring EACCESS and EPERM is a change to be taken lightly.

My reading of that URL indicates that those options are not available in the version of Heimdal available to FreeBSD 11.3 and FreeBSD 12.0

I am happy to test them if they are, but I've failed to find the documentation for them. Please help if you know more. Thank you.

EDIT: I tested both options on FreeBSD 12.

I tried add kuserok = SYSTEM-K5LOGIN to /etc/krb5.conf

Running verify_krb5_conf gives: verify_krb5_conf: /libdefaults/kuserok: unknown entry

Similary, kuserok gives: verify_krb5_conf: /libdefaults/kuserok: unknown entry