X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/aff51935734441207923b8e59fbc3644fc4e7d2c..05ad7fe0046436c464f67230671ff89e79b39e9d:/auth-krb5.c

diff --git a/auth-krb5.c b/auth-krb5.c
index b41c4882..2f742534 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -40,7 +40,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
 #include "auth.h"
 
 #ifdef KRB5
-
 #include <krb5.h>
 
 extern ServerOptions	 options;
@@ -55,7 +54,9 @@ krb5_init(void *context)
 		problem = krb5_init_context(&authctxt->krb5_ctx);
 		if (problem)
 			return (problem);
+#ifdef KRB5_INIT_ETS
 		krb5_init_ets(authctxt->krb5_ctx);
+#endif
 	}
 	return (0);
 }
@@ -68,9 +69,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	krb5_principal server;
 	char ccname[40];
 	int tmpfd;
-#endif	
+	mode_t old_umask;
+#endif
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
+	int len;
 
 	if (!authctxt->valid)
 		return (0);
@@ -97,14 +100,15 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		goto out;
 
 	restore_uid();
-	
+
 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
 	    ccache, password, 1, NULL);
-	
+
 	temporarily_use_uid(authctxt->pw);
 
 	if (problem)
 		goto out;
+
 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
 	    &authctxt->krb5_fwd_ccache);
 	if (problem)
@@ -135,7 +139,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	temporarily_use_uid(authctxt->pw);
 	if (problem)
 		goto out;
-	
+
 	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
 			  authctxt->pw->pw_name)) {
 		problem = -1;
@@ -143,13 +147,16 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	}
 
 	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-	
-	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+
+	old_umask = umask(0177);
+	tmpfd = mkstemp(ccname + strlen("FILE:"));
+	umask(old_umask);
+	if (tmpfd == -1) {
 		logit("mkstemp(): %.100s", strerror(errno));
 		problem = errno;
 		goto out;
 	}
-	
+
 	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 		logit("fchmod(): %.100s", strerror(errno));
 		close(tmpfd);
@@ -166,15 +173,25 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 				     authctxt->krb5_user);
 	if (problem)
 		goto out;
-				
+
 	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 				 &creds);
 	if (problem)
 		goto out;
-#endif		
+#endif
 
 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 
+	len = strlen(authctxt->krb5_ticket_file) + 6;
+	authctxt->krb5_ccname = xmalloc(len);
+	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+	    authctxt->krb5_ticket_file);
+
+#ifdef USE_PAM
+	if (options.use_pam)
+		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
+#endif
+
  out:
 	restore_uid();