X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/6f6024612a593fb89629c1f06182f0525af72b3e..HEAD:/auth-krb5.c

diff --git a/auth-krb5.c b/auth-krb5.c
index 6ae4f5fc..d019fe20 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
@@ -28,18 +29,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
 
+#include <sys/types.h>
+#include <pwd.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "uidswap.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 
 #ifdef KRB5
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
 #include <krb5.h>
 
 extern ServerOptions	 options;
@@ -54,9 +64,6 @@ krb5_init(void *context)
 		problem = krb5_init_context(&authctxt->krb5_ctx);
 		if (problem)
 			return (problem);
-#ifdef KRB5_INIT_ETS
-		krb5_init_ets(authctxt->krb5_ctx);
-#endif
 	}
 	return (0);
 }
@@ -71,9 +78,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
 	int len;
+	char *client, *platform_client;
 
-	if (!authctxt->valid)
-		return (0);
+	/* get platform-specific kerberos client principal name (if it exists) */
+	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
+	client = platform_client ? platform_client : authctxt->pw->pw_name;
 
 	temporarily_use_uid(authctxt->pw);
 
@@ -81,7 +90,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
+	problem = krb5_parse_name(authctxt->krb5_ctx, client,
 		    &authctxt->krb5_user);
 	if (problem)
 		goto out;
@@ -137,8 +146,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-			  authctxt->pw->pw_name)) {
+	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
 		problem = -1;
 		goto out;
 	}
@@ -172,6 +180,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
  out:
 	restore_uid();
+	
+	if (platform_client != NULL)
+		xfree(platform_client);
 
 	if (problem) {
 		if (ccache)
@@ -191,7 +202,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		else
 			return (0);
 	}
-	return (1);
+	return (authctxt->valid ? 1 : 0);
 }
 
 void
@@ -221,7 +232,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 
 	ret = snprintf(ccname, sizeof(ccname),
 	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-	if (ret == -1 || ret >= sizeof(ccname))
+	if (ret < 0 || (size_t)ret >= sizeof(ccname))
 		return ENOMEM;
 
 	old_umask = umask(0177);