- djm@cvs.openbsd.org 2005/05/19 02:40:52

[openssh.git] / auth-krb5.c

diff --git a/auth-krb5.c b/auth-krb5.c
index b41c4882bafbf020d6febd2a176cbf74876dcd89..2f742534aa9af249352a1942d501f785d1859417 100644 (file)
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -40,7 +40,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
 #include "auth.h"
 
 #ifdef KRB5
-
 #include <krb5.h>
 
 extern ServerOptions    options;
@@ -55,7 +54,9 @@ krb5_init(void *context)
                problem = krb5_init_context(&authctxt->krb5_ctx);
                if (problem)
                        return (problem);
+#ifdef KRB5_INIT_ETS
                krb5_init_ets(authctxt->krb5_ctx);
+#endif
        }
        return (0);
 }
@@ -68,9 +69,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        krb5_principal server;
        char ccname[40];
        int tmpfd;
-#endif 
+       mode_t old_umask;
+#endif
        krb5_error_code problem;
        krb5_ccache ccache = NULL;
+       int len;
 
        if (!authctxt->valid)
                return (0);
@@ -97,14 +100,15 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
 
        restore_uid();
-       
+
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
            ccache, password, 1, NULL);
-       
+
        temporarily_use_uid(authctxt->pw);
 
        if (problem)
                goto out;
+
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
            &authctxt->krb5_fwd_ccache);
        if (problem)
@@ -135,7 +139,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        temporarily_use_uid(authctxt->pw);
        if (problem)
                goto out;
-       
+
        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
                          authctxt->pw->pw_name)) {
                problem = -1;
@@ -143,13 +147,16 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        }
 
        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-       
-       if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+
+       old_umask = umask(0177);
+       tmpfd = mkstemp(ccname + strlen("FILE:"));
+       umask(old_umask);
+       if (tmpfd == -1) {
                logit("mkstemp(): %.100s", strerror(errno));
                problem = errno;
                goto out;
        }
-       
+
        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
                logit("fchmod(): %.100s", strerror(errno));
                close(tmpfd);
@@ -166,15 +173,25 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                                     authctxt->krb5_user);
        if (problem)
                goto out;
-                               
+
        problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
                                 &creds);
        if (problem)
                goto out;
-#endif         
+#endif
 
        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 
+       len = strlen(authctxt->krb5_ticket_file) + 6;
+       authctxt->krb5_ccname = xmalloc(len);
+       snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+           authctxt->krb5_ticket_file);
+
+#ifdef USE_PAM
+       if (options.use_pam)
+               do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
+#endif
+
  out:
        restore_uid();