diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2005-11-22 19:42:42 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2005-11-22 19:42:42 +1100 |
| commit | f4732f647572f40d93f4fbd1e65d744ed10b2620 (patch) | |
| tree | e26808c082fcbca769626081462a9e8f764f4d22 | |
| parent | e8400da9d53700872c9dea6b9d52af98c59022b9 (diff) | |
- dtucker@cvs.openbsd.org 2005/11/21 09:42:10
[auth-krb5.c]
Perform Kerberos calls even for invalid users to prevent leaking
information about account validity. bz #975, patch originally from
Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
ok markus@
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | auth-krb5.c | 7 |
2 files changed, 9 insertions, 6 deletions
| @@ -12,6 +12,12 @@ | |||
| 12 | will pull it in. At the moment it gets pulled in by sys/select.h | 12 | will pull it in. At the moment it gets pulled in by sys/select.h |
| 13 | (which ssh has no business including) via event.h. OK markus@ | 13 | (which ssh has no business including) via event.h. OK markus@ |
| 14 | (ID sync only in -portable) | 14 | (ID sync only in -portable) |
| 15 | - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 | ||
| 16 | [auth-krb5.c] | ||
| 17 | Perform Kerberos calls even for invalid users to prevent leaking | ||
| 18 | information about account validity. bz #975, patch originally from | ||
| 19 | Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, | ||
| 20 | ok markus@ | ||
| 15 | 21 | ||
| 16 | 20051120 | 22 | 20051120 |
| 17 | - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what | 23 | - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what |
| @@ -3321,4 +3327,4 @@ | |||
| 3321 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 3327 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 3322 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 3328 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 3323 | 3329 | ||
| 3324 | $Id: ChangeLog,v 1.3999 2005/11/22 08:41:33 dtucker Exp $ | 3330 | $Id: ChangeLog,v 1.4000 2005/11/22 08:42:42 dtucker Exp $ |
diff --git a/auth-krb5.c b/auth-krb5.c index a84e5401c..64d613543 100644 --- a/auth-krb5.c +++ b/auth-krb5.c | |||
| @@ -28,7 +28,7 @@ | |||
| 28 | */ | 28 | */ |
| 29 | 29 | ||
| 30 | #include "includes.h" | 30 | #include "includes.h" |
| 31 | RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); | 31 | RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $"); |
| 32 | 32 | ||
| 33 | #include "ssh.h" | 33 | #include "ssh.h" |
| 34 | #include "ssh1.h" | 34 | #include "ssh1.h" |
| @@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
| 69 | krb5_ccache ccache = NULL; | 69 | krb5_ccache ccache = NULL; |
| 70 | int len; | 70 | int len; |
| 71 | 71 | ||
| 72 | if (!authctxt->valid) | ||
| 73 | return (0); | ||
| 74 | |||
| 75 | temporarily_use_uid(authctxt->pw); | 72 | temporarily_use_uid(authctxt->pw); |
| 76 | 73 | ||
| 77 | problem = krb5_init(authctxt); | 74 | problem = krb5_init(authctxt); |
| @@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
| 188 | else | 185 | else |
| 189 | return (0); | 186 | return (0); |
| 190 | } | 187 | } |
| 191 | return (1); | 188 | return (authctxt->valid ? 1 : 0); |
| 192 | } | 189 | } |
| 193 | 190 | ||
| 194 | void | 191 | void |