- (djm) OpenBSD CVS changes:

   - markus@cvs.openbsd.org  2000/07/22 03:14:37
     [servconf.c servconf.h sshd.8 sshd.c sshd_config]
     random early drop; ok theo, niels
   - deraadt@cvs.openbsd.org 2000/07/26 11:46:51
     [ssh.1]
     typo
   - deraadt@cvs.openbsd.org 2000/08/01 11:46:11
     [sshd.8]
     many fixes from pepper@mail.reppep.com
   - provos@cvs.openbsd.org  2000/08/01 13:01:42
     [Makefile.in util.c aux.c]
     rename aux.c to util.c to help with cygwin port
   - deraadt@cvs.openbsd.org 2000/08/02 00:23:31
     [authfd.c]
     correct sun_len; Alexander@Leidinger.net
   - provos@cvs.openbsd.org  2000/08/02 10:27:17
     [readconf.c sshd.8]
     disable kerberos authentication by default
   - provos@cvs.openbsd.org  2000/08/02 11:27:05
     [sshd.8 readconf.c auth-krb4.c]
     disallow kerberos authentication if we can't verify the TGT; from
     dugsong@
     kerberos authentication is on by default only if you have a srvtab.
   - markus@cvs.openbsd.org  2000/08/04 14:30:07
     [auth.c]
     unused
   - markus@cvs.openbsd.org  2000/08/04 14:30:35
     [sshd_config]
     MaxStartups
   - markus@cvs.openbsd.org  2000/08/15 13:20:46
     [authfd.c]
     cleanup; ok niels@
   - markus@cvs.openbsd.org  2000/08/17 14:05:10
     [session.c]
     cleanup login(1)-like jobs, no duplicate utmp entries
   - markus@cvs.openbsd.org  2000/08/17 14:06:34
     [session.c sshd.8 sshd.c]
      sshd -u len, similar to telnetd

1 files changed, 5 insertions, 3 deletions

diff --git a/auth-krb4.c b/auth-krb4.c
index e32089b74..ae2b2a3d8 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -9,7 +9,7 @@
 #include "ssh.h"
 #include "servconf.h"
 
-RCSID("$OpenBSD: auth-krb4.c,v 1.15 2000/06/22 23:54:59 djm Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.16 2000/08/02 17:27:04 provos Exp $");
 
 #ifdef KRB4
 char *ticket = NULL;
@@ -82,11 +82,12 @@ auth_krb4_password(struct passwd * pw, const char *password)
                         if (r == RD_AP_UNDEC) {
                                 /*
                                  * Probably didn't have a srvtab on
-                                 * localhost. Allow login.
+                                 * localhost. Disallow login.
                                  */
                                 log("Kerberos V4 TGT for %s unverifiable, "
                                     "no srvtab installed? krb_rd_req: %s",
                                     pw->pw_name, krb_err_txt[r]);
+                                goto kerberos_auth_failure;
                         } else if (r != KSUCCESS) {
                                 log("Kerberos V4 %s ticket unverifiable: %s",
                                     KRB4_SERVICE_NAME, krb_err_txt[r]);
@@ -94,12 +95,13 @@ auth_krb4_password(struct passwd * pw, const char *password)
                         }
                 } else if (r == KDC_PR_UNKNOWN) {
                         /*
-                         * Allow login if no rcmd service exists, but
+                         * Disallow login if no rcmd service exists, and
                          * log the error.
                          */
                         log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
                             "not registered, or srvtab is wrong?", pw->pw_name,
                         krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+                        goto kerberos_auth_failure;
                 } else {
                         /*
                          * TGT is bad, forget it. Possibly spoofed!