nisse@lysator.liu.se (Niels Möller) writes:
Simon Josefsson jas@extundo.com writes:
Right, what I was looking for was something similar to
connection->user = USER_LOOKUP(self->gssapi->db, authid, authzid);
where authid was the GSS authenticated user (e.g., "jas") and authzid the username received from the first USERAUTH_REQUEST (e.g., "root").
lshd cares only about the username provided in the USERAUTH_REQUEST, and the passwd-information (uid, loginshell, etc) in the user object returned by the userauth method. These are generally expected to match.
One problem is that the GSSAPI document allows the field to be empty, to provide anonymous usage. Fortunately, OpenSSH doesn't support this though.
For the case of a user, "jas", logging in as root (for kerberos, that means that "jas" is listed in a file in root's home directory, IIRC), I would expect the USERAUTH_REQUEST to request login for "root", and the information that you want to use tickets belonging to "jas" should be somewhere inside the gss-api or kerberos messages, and then I can view it as an internal detail of the gss-api mechanism. Checking that "jas" is allowed to login as root should be the resposibility of the gss-api userauth method.
OK. This is almost how it works now. Only Heimdal/MIT support it, via the kuserok function. When GSS is used, one is only allowed to log on as the authenticated username.
Thanks, Simon