+20050830
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/08/30 22:08:05
+ [gss-serv.c sshconnect2.c]
+ destroy credentials if krb5_kuserok() call fails. Stops credentials being
+ delegated to users who are not authorised for GSSAPIAuthentication when
+ GSSAPIDeletegateCredentials=yes and another authentication mechanism
+ succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
+ simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
+
20050830
- (tim) [configure.ac] Back out last change. It needs to be done differently.
-/* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
#include "openbsd-compat/sys-queue.h"
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt = authctxt->methoddata;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc gssbuf, mic;
+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc gssbuf;
OM_uint32 status, ms, flags;
Buffer b;