From ec0943a96c80c920bee584240a889ae7b619b4e8 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Mon, 11 Aug 2003 22:55:36 +1000
Subject: [PATCH] =?UTF-8?q?=20-=20(dtucker)=20OpenBSD=20CVS=20Sync=20=20?=
=?UTF-8?q?=20=20(thanks=20to=20Simon=20Wilkinson=20for=20help=20with=20th?=
=?UTF-8?q?is=20-dt)=20=20=20=20-=20markus@cvs.openbsd.org=202003/07/16=20?=
=?UTF-8?q?15:02:06=20=20=20=20=20=20[auth-krb5.c]=20=20=20=20=20=20mcc=20?=
=?UTF-8?q?->=20fcc;=20from=20Love=20H=C3=B6rnquist=20=C3=85strand=20<lha@?=
=?UTF-8?q?it.su.se>=20=20=20=20=20=20otherwise=20the=20kerberos=20credent?=
=?UTF-8?q?inal=20is=20stored=20in=20a=20memory=20cache=20=20=20=20=20=20i?=
=?UTF-8?q?n=20the=20privileged=20sshd.=20ok=20jabob@,=20hin@=20(some=20ti?=
=?UTF-8?q?me=20ago)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
ChangeLog | 11 ++++++++++-
auth-krb5.c | 28 ++++++++++++++++++++++------
2 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index fed3b3d66..2050f121f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+20030811
+ - (dtucker) OpenBSD CVS Sync
+ (thanks to Simon Wilkinson for help with this -dt)
+ - markus@cvs.openbsd.org 2003/07/16 15:02:06
+ [auth-krb5.c]
+ mcc -> fcc; from Love H�rnquist �strand <lha@it.su.se>
+ otherwise the kerberos credentinal is stored in a memory cache
+ in the privileged sshd. ok jabob@, hin@ (some time ago)
+
20030808
- (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
@@ -804,4 +813,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2886 2003/08/08 03:43:37 dtucker Exp $
+$Id: ChangeLog,v 1.2887 2003/08/11 12:55:36 dtucker Exp $
diff --git a/auth-krb5.c b/auth-krb5.c
index 0a6f826e7..b04c6649b 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
int tmpfd;
#endif
krb5_error_code problem;
+ krb5_ccache ccache = NULL;
if (authctxt->pw == NULL)
return (0);
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
#ifdef HEIMDAL
- problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
- &authctxt->krb5_fwd_ccache);
+ problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
if (problem)
goto out;
- problem = krb5_cc_initialize(authctxt->krb5_ctx,
- authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+ problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
+ authctxt->krb5_user);
if (problem)
goto out;
restore_uid();
+
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->krb5_fwd_ccache, password, 1, NULL);
+ ccache, password, 1, NULL);
+
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
+ problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+ &authctxt->krb5_fwd_ccache);
+ if (problem)
+ goto out;
+
+ problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+ authctxt->krb5_fwd_ccache);
+ krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+ ccache = NULL;
+ if (problem)
+ goto out;
#else
problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
restore_uid();
if (problem) {
+ if (ccache)
+ krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));