diff -Naur -x '*~' -x '*.orig' openssh-8.0p1/gss-serv-krb5.c openssh-8.0p1-GSSAPIEnablek5users/gss-serv-krb5.c --- openssh-8.0p1/gss-serv-krb5.c 2019-04-29 19:55:51.864495351 +0200 +++ openssh-8.0p1-GSSAPIEnablek5users/gss-serv-krb5.c 2019-04-29 19:56:25.505261148 +0200 @@ -278,7 +278,6 @@ FILE *fp; char file[MAXPATHLEN]; char *line = NULL; - char kuser[65]; /* match krb5_kuserok() */ struct stat st; struct passwd *pw = the_authctxt->pw; int found_principal = 0; @@ -288,7 +287,7 @@ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); /* If both .k5login and .k5users DNE, self-login is ok. */ - if (!k5login_exists && (access(file, F_OK) == -1)) { + if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) { return ssh_krb5_kuserok(krb_context, principal, luser, k5login_exists); } diff -Naur -x '*~' -x '*.orig' openssh-8.0p1/servconf.c openssh-8.0p1-GSSAPIEnablek5users/servconf.c --- openssh-8.0p1/servconf.c 2019-04-29 19:55:51.864495351 +0200 +++ openssh-8.0p1-GSSAPIEnablek5users/servconf.c 2019-04-29 19:56:25.506261141 +0200 @@ -132,6 +132,7 @@ options->gss_store_rekey = -1; options->gss_kex_algorithms = NULL; options->use_kuserok = -1; + options->enable_k5users = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -373,6 +374,8 @@ #endif if (options->use_kuserok == -1) options->use_kuserok = 1; + if (options->enable_k5users == -1) + options->enable_k5users = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -516,7 +519,7 @@ sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, @@ -601,6 +604,7 @@ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL }, + { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, @@ -609,6 +613,7 @@ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL }, + { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, #endif { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, @@ -1974,6 +1979,10 @@ intptr = &options->use_kuserok; goto parse_flag; + case sGssEnablek5users: + intptr = &options->enable_k5users; + goto parse_flag; + case sPermitListen: case sPermitOpen: if (opcode == sPermitListen) { @@ -2373,6 +2382,7 @@ M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(enable_k5users); M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); M_CP_INTOPT(log_level); @@ -2640,6 +2650,7 @@ # endif dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); #endif #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); diff -Naur -x '*~' -x '*.orig' openssh-8.0p1/servconf.h openssh-8.0p1-GSSAPIEnablek5users/servconf.h --- openssh-8.0p1/servconf.h 2019-04-29 19:55:51.865495344 +0200 +++ openssh-8.0p1-GSSAPIEnablek5users/servconf.h 2019-04-29 19:56:25.507261134 +0200 @@ -128,6 +128,7 @@ int kerberos_unique_ccache; /* If true, the acquired ticket will * be stored in per-session ccache */ int use_kuserok; + int enable_k5users; int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ diff -Naur -x '*~' -x '*.orig' openssh-8.0p1/sshd_config openssh-8.0p1-GSSAPIEnablek5users/sshd_config --- openssh-8.0p1/sshd_config 2019-04-29 19:55:51.865495344 +0200 +++ openssh-8.0p1-GSSAPIEnablek5users/sshd_config 2019-04-29 19:56:25.508261127 +0200 @@ -72,6 +72,7 @@ #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no +#GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff -Naur -x '*~' -x '*.orig' openssh-8.0p1/sshd_config.5 openssh-8.0p1-GSSAPIEnablek5users/sshd_config.5 --- openssh-8.0p1/sshd_config.5 2019-04-29 19:55:51.865495344 +0200 +++ openssh-8.0p1-GSSAPIEnablek5users/sshd_config.5 2019-04-29 19:56:25.507261134 +0200 @@ -653,6 +653,12 @@ on logout. The default is .Cm yes . +.It Cm GSSAPIEnablek5users +Specifies whether to look at .k5users file for GSSAPI authentication +access control. Further details are described in +.Xr ksu 1 . +The default is +.Cm no . .It Cm GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange doesn't rely on ssh keys to verify host identity.