[3796] in testers
Re: al_login_allowed backwards incompatibility
daemon@ATHENA.MIT.EDU (James M. Kretchmar)
Thu Jul 16 16:03:52 1998
To: Greg Hudson <ghudson@MIT.EDU>
Cc: "James M. Kretchmar" <kretch@MIT.EDU>, testers@MIT.EDU
In-Reply-To: Your message of "Thu, 16 Jul 1998 15:43:55 EDT."
<199807161943.PAA26728@small-gods.mit.edu>
Date: Thu, 16 Jul 1998 16:03:41 EDT
From: "James M. Kretchmar" <kretch@MIT.EDU>
> No, I mean a new feature. "Local account" does not mean "logging in
> without being able to get Kerberos tickets," it means, "the login
> system won't even try to get Kerberos tickets or do any other
> Athena-specific stuff."
I see, cool.
> > Password authentication. If you're not int *local_acct and you
> > fail, say, kerberos authentication, you lose.
>
> Sounds like an sshd bug.
Sure. auth-passwd.c has
if (options.kerberos_authentication && !al_local_acct)
{
and proceeds to do all the kerberos authentication. If it fails (as
would happen for a local account) it eventually falls down to label
errout2 which returns at
if (!options.kerberos_or_local_passwd )
{
/* We do not need this so free them up */
xfree(saved_pw_name);
xfree(saved_pw_passwd);
return 0;
}
causing no passwd authentication to not happen.
kretch
