Hi Guido, On Mi 01 Jul 2015 09:05:36 CEST, Guido Günther wrote:
On Tue, Jun 30, 2015 at 09:14:14PM +0000, Mike Gabriel wrote:Hi Guido, I just saw that you are co-maintainer of pykerberos. I realized after I had already put my name behind the package name in dla-needed.txt. As you are also on the LTS team, do you want to continue with uploading the package? Or shall I see to the upload and DLA? Maybe you just want to take a quick look and let me proceed. Please let me know your preferences here.Go ahead, you've done most of the work already. I had a look at the code on github when triaging the bug and it looked correct then but can break existing applications if we leave the default of verify == True (as noted in the CVE list). Cheers, -- Guido
I have played and tested the new "verify" option in checkPassword() just now. It will break things in mostly all setups if verify=True is the default. Reasons: o if /etc/krb5.keytab (or what ever $KRB5_KTNAME points to) is missing, then an authentication attempt against Kerberos will fail. o NEW: if /etc/krb5.keytab (or $KRB5_KTNAME) is not readable by a user, then a login attempt will end in "Permission denied". As the most common case is that /etc/krb5.keytab is set to 0600, authentications will always fail with verify=True.Actually, I cannot imagine a generic setup, where verify=True as the default will not fail.
My proposal for pykerberos in Debian: Ship that patch, but set verify=False as the default in the Python checkPassword() function because it requires manual hand-on work to get pykerberos working with verify=True.
I'd appreciate some feedback on this before proceeding with an upload. Thanks. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgp6kpbWLNRKn.pgp
Description: Digitale PGP-Signatur