auth, server, NULL, NULL, &ticket);
if (problem)
goto err;
-
-#ifdef HEIMDAL
+
+#ifdef HEIMDAL
problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
&authctxt->krb5_user);
#else
- problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->enc_part2->client,
- &authctxt->krb5_user);
+ problem = krb5_copy_principal(authctxt->krb5_ctx,
+ ticket->enc_part2->client,
+ &authctxt->krb5_user);
#endif
if (problem)
goto err;
krb5_ccache ccache = NULL;
char *pname;
krb5_creds **creds;
-
+
if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
return (0);
temporarily_use_uid(authctxt->pw);
-
-#ifdef HEIMDAL
+
+#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
#else
{
- char ccname[35];
+ char ccname[40];
+ int tmpfd;
+
+ snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
- snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid);
+ if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+ log("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ goto fail;
+ }
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ log("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ goto fail;
+ }
+ close(tmpfd);
problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
}
#endif
authctxt->krb5_user);
if (problem)
goto fail;
-
-#ifdef HEIMDAL
+
+#ifdef HEIMDAL
problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
ccache, tgt);
if (problem)
#else
problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
tgt, &creds, NULL);
- if (problem)
+ if (problem)
goto fail;
problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
if (problem)
- goto fail;
+ goto fail;
#endif
-
+
authctxt->krb5_fwd_ccache = ccache;
ccache = NULL;
auth_krb5_password(Authctxt *authctxt, const char *password)
{
#ifndef HEIMDAL
- krb5_creds creds;
+ krb5_creds creds;
krb5_principal server;
+ char ccname[40];
+ int tmpfd;
#endif
krb5_error_code problem;
&authctxt->krb5_user);
if (problem)
goto out;
-
-#ifdef HEIMDAL
+
+#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
&authctxt->krb5_fwd_ccache);
#else
- problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
+ problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
&authctxt->krb5_fwd_ccache);
#endif
if (problem)
authctxt->krb5_fwd_ccache, authctxt->krb5_user);
if (problem)
goto out;
-
-#ifdef HEIMDAL
+
restore_uid();
+
+#ifdef HEIMDAL
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->krb5_fwd_ccache, password, 1, NULL);
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
-
+
#else
- problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
- authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL);
- if (problem)
- goto out;
+ problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
+ authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
+ if (problem)
+ goto out;
- problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
- KRB5_NT_SRV_HST, &server);
- if (problem)
- goto out;
+ problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
+ KRB5_NT_SRV_HST, &server);
+ if (problem)
+ goto out;
restore_uid();
- problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, NULL, NULL,
- NULL);
+ problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
+ NULL, NULL, NULL);
+ krb5_free_principal(authctxt->krb5_ctx, server);
temporarily_use_uid(authctxt->pw);
+ if (problem)
+ goto out;
+
+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
+ authctxt->pw->pw_name)) {
+ problem = -1;
+ goto out;
+ }
+
+ snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
+
+ if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+ log("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ goto out;
+ }
- krb5_free_principal(authctxt->krb5_ctx, server);
- if (problem)
- goto out;
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ log("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ goto out;
+ }
+ close(tmpfd);
- problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds);
+ problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
+ if (problem)
+ goto out;
-#endif /* HEIMDAL */
+ problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ authctxt->krb5_user);
+ if (problem)
+ goto out;
+
+ problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ &creds);
+ if (problem)
+ goto out;
+#endif
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
restore_uid();
if (problem) {
- if (authctxt->krb5_ctx != NULL)
+ if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else