* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 10 insertions, 3 deletions

diff --git a/auth-krb5.c b/auth-krb5.c
index 38164fda8..821913382 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -78,6 +78,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         krb5_error_code problem;
         krb5_ccache ccache = NULL;
         int len;
+        char *client, *platform_client;
+
+        /* get platform-specific kerberos client principal name (if it exists) */
+        platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
+        client = platform_client ? platform_client : authctxt->pw->pw_name;
 
         temporarily_use_uid(authctxt->pw);
 
@@ -85,7 +90,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         if (problem)
                 goto out;
 
-        problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
+        problem = krb5_parse_name(authctxt->krb5_ctx, client,
                     &authctxt->krb5_user);
         if (problem)
                 goto out;
@@ -141,8 +146,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         if (problem)
                 goto out;
 
-        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-                          authctxt->pw->pw_name)) {
+        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
                 problem = -1;
                 goto out;
         }
@@ -181,6 +185,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
  out:
         restore_uid();
+        
+        if (platform_client != NULL)
+                xfree(platform_client);
 
         if (problem) {
                 if (ccache)