diff options
author | Darren Tucker <dtucker@zip.com.au> | 2003-08-11 22:55:36 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2003-08-11 22:55:36 +1000 |
commit | ec0943a96c80c920bee584240a889ae7b619b4e8 (patch) | |
tree | 61c24291f9c5460d6adb1854f53b5ac615497da9 | |
parent | f38db7f5dae83b5aeeab681edd266a62b3ebc1f6 (diff) |
- (dtucker) OpenBSD CVS Sync
(thanks to Simon Wilkinson for help with this -dt)
- markus@cvs.openbsd.org 2003/07/16 15:02:06
[auth-krb5.c]
mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
otherwise the kerberos credentinal is stored in a memory cache
in the privileged sshd. ok jabob@, hin@ (some time ago)
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | auth-krb5.c | 28 |
2 files changed, 32 insertions, 7 deletions
@@ -1,3 +1,12 @@ | |||
1 | 20030811 | ||
2 | - (dtucker) OpenBSD CVS Sync | ||
3 | (thanks to Simon Wilkinson for help with this -dt) | ||
4 | - markus@cvs.openbsd.org 2003/07/16 15:02:06 | ||
5 | [auth-krb5.c] | ||
6 | mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se> | ||
7 | otherwise the kerberos credentinal is stored in a memory cache | ||
8 | in the privileged sshd. ok jabob@, hin@ (some time ago) | ||
9 | |||
1 | 20030808 | 10 | 20030808 |
2 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and | 11 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and |
3 | AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition | 12 | AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition |
@@ -804,4 +813,4 @@ | |||
804 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 813 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
805 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 814 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
806 | 815 | ||
807 | $Id: ChangeLog,v 1.2886 2003/08/08 03:43:37 dtucker Exp $ | 816 | $Id: ChangeLog,v 1.2887 2003/08/11 12:55:36 dtucker Exp $ |
diff --git a/auth-krb5.c b/auth-krb5.c index 0a6f826e7..b04c6649b 100644 --- a/auth-krb5.c +++ b/auth-krb5.c | |||
@@ -28,7 +28,7 @@ | |||
28 | */ | 28 | */ |
29 | 29 | ||
30 | #include "includes.h" | 30 | #include "includes.h" |
31 | RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); | 31 | RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); |
32 | 32 | ||
33 | #include "ssh.h" | 33 | #include "ssh.h" |
34 | #include "ssh1.h" | 34 | #include "ssh1.h" |
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
265 | int tmpfd; | 265 | int tmpfd; |
266 | #endif | 266 | #endif |
267 | krb5_error_code problem; | 267 | krb5_error_code problem; |
268 | krb5_ccache ccache = NULL; | ||
268 | 269 | ||
269 | if (authctxt->pw == NULL) | 270 | if (authctxt->pw == NULL) |
270 | return (0); | 271 | return (0); |
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
281 | goto out; | 282 | goto out; |
282 | 283 | ||
283 | #ifdef HEIMDAL | 284 | #ifdef HEIMDAL |
284 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, | 285 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); |
285 | &authctxt->krb5_fwd_ccache); | ||
286 | if (problem) | 286 | if (problem) |
287 | goto out; | 287 | goto out; |
288 | 288 | ||
289 | problem = krb5_cc_initialize(authctxt->krb5_ctx, | 289 | problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, |
290 | authctxt->krb5_fwd_ccache, authctxt->krb5_user); | 290 | authctxt->krb5_user); |
291 | if (problem) | 291 | if (problem) |
292 | goto out; | 292 | goto out; |
293 | 293 | ||
294 | restore_uid(); | 294 | restore_uid(); |
295 | |||
295 | problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, | 296 | problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, |
296 | authctxt->krb5_fwd_ccache, password, 1, NULL); | 297 | ccache, password, 1, NULL); |
298 | |||
297 | temporarily_use_uid(authctxt->pw); | 299 | temporarily_use_uid(authctxt->pw); |
298 | 300 | ||
299 | if (problem) | 301 | if (problem) |
300 | goto out; | 302 | goto out; |
303 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, | ||
304 | &authctxt->krb5_fwd_ccache); | ||
305 | if (problem) | ||
306 | goto out; | ||
307 | |||
308 | problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache, | ||
309 | authctxt->krb5_fwd_ccache); | ||
310 | krb5_cc_destroy(authctxt->krb5_ctx, ccache); | ||
311 | ccache = NULL; | ||
312 | if (problem) | ||
313 | goto out; | ||
301 | 314 | ||
302 | #else | 315 | #else |
303 | problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, | 316 | problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, |
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
361 | restore_uid(); | 374 | restore_uid(); |
362 | 375 | ||
363 | if (problem) { | 376 | if (problem) { |
377 | if (ccache) | ||
378 | krb5_cc_destroy(authctxt->krb5_ctx, ccache); | ||
379 | |||
364 | if (authctxt->krb5_ctx != NULL && problem!=-1) | 380 | if (authctxt->krb5_ctx != NULL && problem!=-1) |
365 | debug("Kerberos password authentication failed: %s", | 381 | debug("Kerberos password authentication failed: %s", |
366 | krb5_get_err_text(authctxt->krb5_ctx, problem)); | 382 | krb5_get_err_text(authctxt->krb5_ctx, problem)); |