- dtucker@cvs.openbsd.org 2005/11/21 09:42:10

     [auth-krb5.c]
     Perform Kerberos calls even for invalid users to prevent leaking
     information about account validity.  bz #975, patch originally from
     Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
     ok markus@

diff --git a/ChangeLog b/ChangeLog
index 2d14c796d4693cc5505a8009ffccebda121526b7..7bd02f5afd940474652609fa125c7ad41e589734 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,12 @@
      will pull it in.  At the moment it gets pulled in by sys/select.h
      (which ssh has no business including) via event.h.  OK markus@
      (ID sync only in -portable)
+   - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
+     [auth-krb5.c]
+     Perform Kerberos calls even for invalid users to prevent leaking
+     information about account validity.  bz #975, patch originally from
+     Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
+     ok markus@
 
 20051120
  - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what

diff --git a/auth-krb5.c b/auth-krb5.c
index a84e5401c7d448b1fddfde3e346d803108671291..64d613543db05d21ae648b71eee936727fd0c777 100644 (file)
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        krb5_ccache ccache = NULL;
        int len;
 
-       if (!authctxt->valid)
-               return (0);
-
        temporarily_use_uid(authctxt->pw);
 
        problem = krb5_init(authctxt);
@@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                else
                        return (0);
        }
-       return (1);
+       return (authctxt->valid ? 1 : 0);
 }
 
 void