From 86c093d2895989d1258459b797ce3630eaa47d1a Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Mon, 8 Mar 2004 22:59:03 +1100
Subject: [PATCH]  - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h  
  openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being   
 inherited by the child.  ok djm@

---
 configure.ac              | 4 ++--
 openbsd-compat/bsd-misc.h | 6 +++++-
 openbsd-compat/setenv.c   | 8 ++++++--
 sshd.c                    | 7 +++++++
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index fc765b472..8eea75589 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.204 2004/03/03 00:08:59 djm Exp $
+# $Id: configure.ac,v 1.205 2004/03/08 11:59:03 dtucker Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -802,7 +802,7 @@ AC_CHECK_FUNCS(\
 	setproctitle setregid setreuid setrlimit \
 	setsid setvbuf sigaction sigvec snprintf socketpair strerror \
 	strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
-	truncate updwtmpx utimes vhangup vsnprintf waitpid \
+	truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
 )
 
 # IRIX has a const char return value for gai_strerror()
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index c8073942c..009739b14 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-misc.h,v 1.14 2004/02/17 05:49:55 djm Exp $ */
+/* $Id: bsd-misc.h,v 1.15 2004/03/08 11:59:03 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -89,6 +89,10 @@ pid_t tcgetpgrp(int);
 int tcsendbreak(int, int);
 #endif
 
+#ifndef HAVE_UNSETENV
+void unsetenv(const char *);
+#endif
+
 /* wrapper for signal interface */
 typedef void (*mysig_t)(int);
 mysig_t mysignal(int sig, mysig_t act);
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index b7ba0ce83..c3a86c651 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -30,7 +30,7 @@
  */
 
 #include "includes.h"
-#ifndef HAVE_SETENV
+#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
@@ -77,6 +77,7 @@ __findenv(name, offset)
 	return (NULL);
 }
 
+#ifndef HAVE_SETENV
 /*
  * setenv --
  *	Set the value of the environmental variable "name" to be
@@ -138,7 +139,9 @@ setenv(name, value, rewrite)
 		;
 	return (0);
 }
+#endif /* HAVE_SETENV */
 
+#ifndef HAVE_UNSETENV
 /*
  * unsetenv(name) --
  *	Delete environmental variable "name".
@@ -157,5 +160,6 @@ unsetenv(name)
 			if (!(*P = *(P + 1)))
 				break;
 }
+#endif /* HAVE_UNSETENV */
 
-#endif /* HAVE_SETENV */
+#endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */
diff --git a/sshd.c b/sshd.c
index 2c224b9c3..3247091a4 100644
--- a/sshd.c
+++ b/sshd.c
@@ -939,6 +939,13 @@ main(int ac, char **av)
 	    SYSLOG_FACILITY_AUTH : options.log_facility,
 	    log_stderr || !inetd_flag);
 
+#ifdef _AIX
+	/*
+	 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
+	 * root's environment
+	 */ 
+	unsetenv("KRB5CCNAME");
+#endif /* _AIX */
 #ifdef _UNICOS
 	/* Cray can define user privs drop all prives now!
 	 * Not needed on PRIV_SU systems!