The present code for the authorization type "k5login"
contains serious security issues, should it have been
possible to activate it. Fortunately, the code does
not even construct the path "$HOME/.k5login" correctly,
so the code will never get into action!

The present patch addresses "lib/authorize.c" on the following
points of importance:

  shishi_authorize_k5login():

  * Correct format string for path assembly.

  * No falling back to other authentication types, as this would
    consitute a security breach in itself. In fact, the existing
    fall back would lead to a segfault for any use case where the
    remote client name differs from the local, acting user name.

  * [Comment only] It can be argued that allowing root as owner
    of "$HOME/.k5login" is an issue, albeit minor. BSD systems,
    using MIT Kerberos or Heimdal, accept only the acting user
    as file owner.

  * The file must not be writeable by world, or group. Any other
    situation is a grave security breach.

  * The variable "linelength" contains the allocated space, not
    the length of the read string. Thus the code could never perform
    the intended comparison.

  shishi_authorized_p():

  * The files "$HOME/.k5login" must contain qualified equivalence names
    like "user@REALM", or "user/role@REALM", never only "username". Thus
    it necessary to call shishi_encticketpart_clientrealm() in order to
    fetch the qualified principal name, and to pass this on to
    shishi_authorize_k5login().

  * The allocated space in "client" was never released.

  * Ignore unknown authorization types, instead of aborting the parsing run,
    i.e., accept as much as conclusively can be accepted.

This material is related to an issue in "lib/cfg.c", to be reported
by me in a second letter.

Best regards,

   Mats Erik Andersson