X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/b347167a8d1e8a8d2eb0e5becc6119f7767adf81..9794d0089c075188de1c7a752a61e7efc9e227bc:/auth-krb5.c diff --git a/auth-krb5.c b/auth-krb5.c index a324ff15..7bce7778 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth-krb5.c,v 1.18 2006/05/06 08:35:40 dtucker Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -28,7 +29,6 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -54,9 +54,6 @@ krb5_init(void *context) problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); -#ifdef KRB5_INIT_ETS - krb5_init_ets(authctxt->krb5_ctx); -#endif } return (0); } @@ -67,17 +64,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #ifndef HEIMDAL krb5_creds creds; krb5_principal server; - char ccname[40]; - int tmpfd; - mode_t old_umask; #endif krb5_error_code problem; krb5_ccache ccache = NULL; int len; - if (!authctxt->valid) - return (0); - temporarily_use_uid(authctxt->pw); problem = krb5_init(authctxt); @@ -146,26 +137,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE:")); - umask(old_umask); - if (tmpfd == -1) { - logit("mkstemp(): %.100s", strerror(errno)); - problem = errno; - goto out; - } - - if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); - close(tmpfd); - problem = errno; - goto out; - } - close(tmpfd); - - problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); if (problem) goto out; @@ -187,6 +159,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) snprintf(authctxt->krb5_ccname, len, "FILE:%s", authctxt->krb5_ticket_file); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); +#endif + out: restore_uid(); @@ -208,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) else return (0); } - return (1); + return (authctxt->valid ? 1 : 0); } void @@ -229,4 +206,34 @@ krb5_cleanup_proc(Authctxt *authctxt) } } +#ifndef HEIMDAL +krb5_error_code +ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + int tmpfd, ret; + char ccname[40]; + mode_t old_umask; + + ret = snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); + if (ret < 0 || (size_t)ret >= sizeof(ccname)) + return ENOMEM; + + old_umask = umask(0177); + tmpfd = mkstemp(ccname + strlen("FILE:")); + umask(old_umask); + if (tmpfd == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + return errno; + } + + if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + return errno; + } + close(tmpfd); + + return (krb5_cc_resolve(ctx, ccname, ccache)); +} +#endif /* !HEIMDAL */ #endif /* KRB5 */