From 426cef74e9eca531b23c6d47c44eca991129810d Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 22 Nov 2005 08:42:42 +0000 Subject: [PATCH] - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 [auth-krb5.c] Perform Kerberos calls even for invalid users to prevent leaking information about account validity. bz #975, patch originally from Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, ok markus@ --- ChangeLog | 6 ++++++ auth-krb5.c | 7 ++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2d14c796..7bd02f5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,12 @@ will pull it in. At the moment it gets pulled in by sys/select.h (which ssh has no business including) via event.h. OK markus@ (ID sync only in -portable) + - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 + [auth-krb5.c] + Perform Kerberos calls even for invalid users to prevent leaking + information about account validity. bz #975, patch originally from + Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, + ok markus@ 20051120 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what diff --git a/auth-krb5.c b/auth-krb5.c index a84e5401..64d61354 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $"); #include "ssh.h" #include "ssh1.h" @@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_ccache ccache = NULL; int len; - if (!authctxt->valid) - return (0); - temporarily_use_uid(authctxt->pw); problem = krb5_init(authctxt); @@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) else return (0); } - return (1); + return (authctxt->valid ? 1 : 0); } void -- 2.45.2