[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Broken k5login authentication type.
|
From: |
Mats Erik Andersson |
|
Subject: |
Re: Broken k5login authentication type. |
|
Date: |
Wed, 8 Aug 2012 13:05:06 +0200 |
|
User-agent: |
Mutt/1.5.18 (2008-05-17) |
onsdag den 8 augusti 2012 klockan 12:39 skrev Simon Josefsson detta:
> Mats Erik Andersson <address@hidden> writes:
>
> Thank you! Patch applied.
>
> > * No falling back to other authentication types, as this would
> > consitute a security breach in itself.
>
> I think you refer to the case where there is no .k5login file. I recall
> that MIT/Heimdal fall back on a strcmp-like approach in this situation,
> doesn't it? If the file doesn't exist, I think the semantics in
> MIT/Heimdal is that if your principal matches the username, you are let
> in. Please check this and followup.
My preferred interpretation is that
shishi_authorize_p (h, "k5login");
should only set authorization type "k5login", nothing more, nothing less.
Allowing the fall back is equivalent to make the above call be equal to
shishi_authorize_p (h, "k5login basic");
I find it important to be able to enforce a distinction here.
Best regards,
Mats E A
- Broken k5login authentication type., Mats Erik Andersson, 2012/08/07
- Re: Broken k5login authentication type., Simon Josefsson, 2012/08/08
- Re: Broken k5login authentication type.,
Mats Erik Andersson <=
- Re: Broken k5login authentication type., Simon Josefsson, 2012/08/08
- Re: Broken k5login authentication type., Mats Erik Andersson, 2012/08/08
- Re: Broken k5login authentication type., Simon Josefsson, 2012/08/08
- Re: Broken k5login authentication type., Mats Erik Andersson, 2012/08/08
- Re: Broken k5login authentication type., Simon Josefsson, 2012/08/08