X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/8f73f7bbad3099712a0fdbc599a1b68058b12a3d..05ad7fe0046436c464f67230671ff89e79b39e9d:/auth-krb5.c diff --git a/auth-krb5.c b/auth-krb5.c index 0aa5195b..2f742534 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -40,7 +40,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $"); #include "auth.h" #ifdef KRB5 - #include extern ServerOptions options; @@ -50,17 +49,14 @@ krb5_init(void *context) { Authctxt *authctxt = (Authctxt *)context; krb5_error_code problem; - static int cleanup_registered = 0; if (authctxt->krb5_ctx == NULL) { problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); +#ifdef KRB5_INIT_ETS krb5_init_ets(authctxt->krb5_ctx); - } - if (!cleanup_registered) { - fatal_add_cleanup(krb5_cleanup_proc, authctxt); - cleanup_registered = 1; +#endif } return (0); } @@ -73,11 +69,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_principal server; char ccname[40]; int tmpfd; -#endif + mode_t old_umask; +#endif krb5_error_code problem; krb5_ccache ccache = NULL; + int len; - if (authctxt->pw == NULL) + if (!authctxt->valid) return (0); temporarily_use_uid(authctxt->pw); @@ -102,14 +100,15 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; restore_uid(); - + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL); - + temporarily_use_uid(authctxt->pw); if (problem) goto out; + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &authctxt->krb5_fwd_ccache); if (problem) @@ -140,21 +139,24 @@ auth_krb5_password(Authctxt *authctxt, const char *password) temporarily_use_uid(authctxt->pw); if (problem) goto out; - - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, + + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; - } + } snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { + + old_umask = umask(0177); + tmpfd = mkstemp(ccname + strlen("FILE:")); + umask(old_umask); + if (tmpfd == -1) { logit("mkstemp(): %.100s", strerror(errno)); problem = errno; goto out; } - + if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { logit("fchmod(): %.100s", strerror(errno)); close(tmpfd); @@ -171,15 +173,25 @@ auth_krb5_password(Authctxt *authctxt, const char *password) authctxt->krb5_user); if (problem) goto out; - + problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds); if (problem) goto out; -#endif +#endif authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); + +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); +#endif + out: restore_uid(); @@ -205,10 +217,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) } void -krb5_cleanup_proc(void *context) +krb5_cleanup_proc(Authctxt *authctxt) { - Authctxt *authctxt = (Authctxt *)context; - debug("krb5_cleanup_proc called"); if (authctxt->krb5_fwd_ccache) { krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);