]> andersk Git - gssapi-openssh.git/blobdiff - openssh/auth-krb5.c
andersk / gssapi-openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
merged with openssh-mit-krb5-20020326.diff from Simon
[gssapi-openssh.git] / openssh / auth-krb5.c
diff --git a/openssh/auth-krb5.c b/openssh/auth-krb5.c
index f105207ba72b61a3903a1a107426fba1f5f7a7d5..3c6831ef34040cbce5d362064c4417946e123091 100644 (file)
--- a/openssh/auth-krb5.c
+++ b/openssh/auth-krb5.c
@@ -94,13 +94,14 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
            auth, server, NULL, NULL, &ticket);
        if (problem)
                goto err;
-       
-#ifdef HEIMDAL 
+
+#ifdef HEIMDAL
        problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
            &authctxt->krb5_user);
 #else
-       problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->enc_part2->client,
-           &authctxt->krb5_user);
+       problem = krb5_copy_principal(authctxt->krb5_ctx, 
+                                     ticket->enc_part2->client,
+                                     &authctxt->krb5_user);
 #endif
        if (problem)
                goto err;
@@ -153,19 +154,33 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
        krb5_ccache ccache = NULL;
        char *pname;
        krb5_creds **creds;
-       
+
        if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
                return (0);
 
        temporarily_use_uid(authctxt->pw);
-       
-#ifdef HEIMDAL 
+
+#ifdef HEIMDAL
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
 #else
 {
-       char ccname[35];
+       char ccname[40];
+       int tmpfd;
+       
+       snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
        
-       snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid);
+       if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+               log("mkstemp(): %.100s", strerror(errno));
+               problem = errno;
+               goto fail;
+       }
+       if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+               log("fchmod(): %.100s", strerror(errno));
+               close(tmpfd);
+               problem = errno;
+               goto fail;
+       }
+       close(tmpfd);
        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
 }
 #endif
@@ -176,8 +191,8 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
            authctxt->krb5_user);
        if (problem)
                goto fail;
-       
-#ifdef HEIMDAL 
+
+#ifdef HEIMDAL
        problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
            ccache, tgt);
        if (problem)
@@ -185,13 +200,13 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
 #else
        problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
            tgt, &creds, NULL);
-       if (problem) 
+       if (problem)
                goto fail;
        problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
        if (problem)
-               goto fail;
+               goto fail;
 #endif
-       
+
        authctxt->krb5_fwd_ccache = ccache;
        ccache = NULL;
 
@@ -224,8 +239,10 @@ int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
 #ifndef HEIMDAL
-        krb5_creds creds;
+       krb5_creds creds;
        krb5_principal server;
+       char ccname[40];
+       int tmpfd;
 #endif 
        krb5_error_code problem;
 
@@ -242,12 +259,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                    &authctxt->krb5_user);
        if (problem)
                goto out;
-       
-#ifdef HEIMDAL 
+
+#ifdef HEIMDAL
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
            &authctxt->krb5_fwd_ccache);
 #else
-       problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", 
+       problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
            &authctxt->krb5_fwd_ccache);
 #endif
        if (problem)
@@ -257,39 +274,72 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
            authctxt->krb5_fwd_ccache, authctxt->krb5_user);
        if (problem)
                goto out;
-       
-#ifdef HEIMDAL 
+
        restore_uid();
+
+#ifdef HEIMDAL
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
            authctxt->krb5_fwd_ccache, password, 1, NULL);
        temporarily_use_uid(authctxt->pw);
 
        if (problem)
                goto out;
-       
+
 #else
-        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, 
-            authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL);
-        if (problem)
-               goto out;
+       problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
+           authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
+       if (problem)
+               goto out;
 
-        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, 
-            KRB5_NT_SRV_HST, &server);
-        if (problem)
-               goto out;
+       problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
+           KRB5_NT_SRV_HST, &server);
+       if (problem)
+               goto out;
 
        restore_uid();
-        problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, NULL, NULL, 
-            NULL);
+       problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
+           NULL, NULL, NULL);
+       krb5_free_principal(authctxt->krb5_ctx, server);
        temporarily_use_uid(authctxt->pw);
+       if (problem)
+               goto out;
+       
+       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, 
+                         authctxt->pw->pw_name)) {
+               problem = -1;
+               goto out;
+       } 
+
+       snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
+       
+       if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+               log("mkstemp(): %.100s", strerror(errno));
+               problem = errno;
+               goto out;
+       }
        
-        krb5_free_principal(authctxt->krb5_ctx, server);
-        if (problem)
-               goto out;
+       if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+               log("fchmod(): %.100s", strerror(errno));
+               close(tmpfd);
+               problem = errno;
+               goto out;
+       }
+       close(tmpfd);
 
-       problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds);
+       problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
+       if (problem)
+               goto out;
 
-#endif /* HEIMDAL */
+       problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+                                    authctxt->krb5_user);
+       if (problem)
+               goto out;
+                               
+       problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+                                &creds);
+       if (problem)
+               goto out;
+#endif         
 
        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 
@@ -297,7 +347,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        restore_uid();
 
        if (problem) {
-               if (authctxt->krb5_ctx != NULL)
+               if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));
                else
git-cvsimport mirror of GSI OpenSSH
This page took 0.073009 seconds and 4 git commands to generate.