- (dtucker) OpenBSD CVS Sync

   (thanks to Simon Wilkinson for help with this -dt)
   - markus@cvs.openbsd.org 2003/07/16 15:02:06
     [auth-krb5.c]
     mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
     otherwise the kerberos credentinal is stored in a memory cache
     in the privileged sshd. ok jabob@, hin@ (some time ago)

diff --git a/ChangeLog b/ChangeLog
index 611abaa7fbfe51c9ba41ef5d348bbaf882247f8b..9438f0b348955a1363dc836cc6d3be31b4955552 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+20030811
+ - (dtucker) OpenBSD CVS Sync
+   (thanks to Simon Wilkinson for help with this -dt)
+   - markus@cvs.openbsd.org 2003/07/16 15:02:06
+     [auth-krb5.c]
+     mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
+     otherwise the kerberos credentinal is stored in a memory cache
+     in the privileged sshd. ok jabob@, hin@ (some time ago)
+
 20030808
  - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
    AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition

diff --git a/auth-krb5.c b/auth-krb5.c
index 0a6f826e79db48dff9987a7709ba07caf3ecdcfc..b04c6649b128c62aaa954c777b7848d3e3438fd2 100644 (file)
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        int tmpfd;
 #endif 
        krb5_error_code problem;
+       krb5_ccache ccache = NULL;
 
        if (authctxt->pw == NULL)
                return (0);
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
 
 #ifdef HEIMDAL
-       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
-           &authctxt->krb5_fwd_ccache);
+       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
        if (problem)
                goto out;
 
-       problem = krb5_cc_initialize(authctxt->krb5_ctx,
-           authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+       problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
+               authctxt->krb5_user);
        if (problem)
                goto out;
 
        restore_uid();
+       
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-           authctxt->krb5_fwd_ccache, password, 1, NULL);
+           ccache, password, 1, NULL);
+       
        temporarily_use_uid(authctxt->pw);
 
        if (problem)
                goto out;
+       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+           &authctxt->krb5_fwd_ccache);
+       if (problem)
+               goto out;
+
+       problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+           authctxt->krb5_fwd_ccache);
+       krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+       ccache = NULL;
+       if (problem)
+               goto out;
 
 #else
        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        restore_uid();
 
        if (problem) {
+               if (ccache)
+                       krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
                if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));