From 78e43412a7e41e6ba23d38c61da3505fb5012935 Mon Sep 17 00:00:00 2001 From: dtucker Date: Mon, 11 Aug 2003 12:55:36 +0000 Subject: [PATCH] =?utf8?q?=20-=20(dtucker)=20OpenBSD=20CVS=20Sync=20=20=20?= =?utf8?q?=20(thanks=20to=20Simon=20Wilkinson=20for=20help=20with=20this?= =?utf8?q?=20-dt)=20=20=20=20-=20markus@cvs.openbsd.org=202003/07/16=2015:?= =?utf8?q?02:06=20=20=20=20=20=20[auth-krb5.c]=20=20=20=20=20=20mcc=20->?= =?utf8?q?=20fcc;=20from=20Love=20H=F6rnquist=20=C5strand=20?= =?utf8?q?=20=20=20=20=20=20otherwise=20the=20kerberos=20credentinal=20is?= =?utf8?q?=20stored=20in=20a=20memory=20cache=20=20=20=20=20=20in=20the=20?= =?utf8?q?privileged=20sshd.=20ok=20jabob@,=20hin@=20(some=20time=20ago)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- ChangeLog | 9 +++++++++ auth-krb5.c | 28 ++++++++++++++++++++++------ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 611abaa7..9438f0b3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20030811 + - (dtucker) OpenBSD CVS Sync + (thanks to Simon Wilkinson for help with this -dt) + - markus@cvs.openbsd.org 2003/07/16 15:02:06 + [auth-krb5.c] + mcc -> fcc; from Love Hörnquist Åstrand + otherwise the kerberos credentinal is stored in a memory cache + in the privileged sshd. ok jabob@, hin@ (some time ago) + 20030808 - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition diff --git a/auth-krb5.c b/auth-krb5.c index 0a6f826e..b04c6649 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) int tmpfd; #endif krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; - problem = krb5_cc_initialize(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache, authctxt->krb5_user); + problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, + authctxt->krb5_user); if (problem) goto out; restore_uid(); + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->krb5_fwd_ccache, password, 1, NULL); + ccache, password, 1, NULL); + temporarily_use_uid(authctxt->pw); if (problem) goto out; + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, + &authctxt->krb5_fwd_ccache); + if (problem) + goto out; + + problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache, + authctxt->krb5_fwd_ccache); + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + ccache = NULL; + if (problem) + goto out; #else problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, @@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) restore_uid(); if (problem) { + if (ccache) + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + if (authctxt->krb5_ctx != NULL && problem!=-1) debug("Kerberos password authentication failed: %s", krb5_get_err_text(authctxt->krb5_ctx, problem)); -- 2.45.1