Re: kerberos issues with 10.0_BETA post openssl update

To: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed, 6 Sep 2023 10:46:33 +0000

> Date: Wed, 6 Sep 2023 10:39:34 +0000
> From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
> 
> A possible workaround is to set:
> 
> 	[libdefaults]
> 		k5login_directory = /root
> 
> However, that applies to _all_ kuserok checks for _all_ users, not
> just the pam_ksu one ror root, so it will probably break other things.
> I'm not sure there is a way in the config file to specify it just for
> pam_ksu or just for root.

Here's a workaround you could test with no code changes that shouldn't
break other applications: move /root/.k5login to /etc/k5login.d/root,
and set

	[libdefaults]
		kuserok = USER-K5LOGIN SYSTEM-K5LOGIN SIMPLE DENY

in /etc/krb5.conf.  Still worth finding a code fix for pam_ksu, but
you can try this workaround in the mean time.

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

References:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell

Prev by Date: Re: kerberos issues with 10.0_BETA post openssl update
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index