- (dtucker) OpenBSD CVS Sync

(thanks to Simon Wilkinson for help with this -dt) - markus@cvs.openbsd.org 2003/07/16 15:02:06 [auth-krb5.c] mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se> otherwise the kerberos credentinal is stored in a memory cache in the privileged sshd. ok jabob@, hin@ (some time ago)
author: Darren Tucker <dtucker@zip.com.au> 2003-08-11 22:55:36 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2003-08-11 22:55:36 +1000
commit: ec0943a96c80c920bee584240a889ae7b619b4e8 (patch)
tree: 61c24291f9c5460d6adb1854f53b5ac615497da9 /auth-krb5.c
parent: f38db7f5dae83b5aeeab681edd266a62b3ebc1f6 (diff)
1 files changed, 22 insertions, 6 deletions
diff --git a/auth-krb5.c b/auth-krb5.c
index 0a6f826e7..b04c6649b 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        int tmpfd;
 #endif  
        krb5_error_code problem;
+        krb5_ccache ccache = NULL;
        if (authctxt->pw == NULL)
                return (0);
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
 #ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-            &authctxt->krb5_fwd_ccache);
        if (problem)
                goto out;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx,
+        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+                authctxt->krb5_user);
        if (problem)
                goto out;
        restore_uid();
+        
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->krb5_fwd_ccache, password, 1, NULL);
+            ccache, password, 1, NULL);
+        
        temporarily_use_uid(authctxt->pw);
        if (problem)
                goto out;
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+            &authctxt->krb5_fwd_ccache);
+        if (problem)
+                goto out;
+        problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+            authctxt->krb5_fwd_ccache);
+        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+        ccache = NULL;
+        if (problem)
+                goto out;
 #else
        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        restore_uid();
        if (problem) {
+                if (ccache)
+                        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
                if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));
author	Darren Tucker <dtucker@zip.com.au>	2003-08-11 22:55:36 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2003-08-11 22:55:36 +1000
commit	ec0943a96c80c920bee584240a889ae7b619b4e8 (patch)
tree	61c24291f9c5460d6adb1854f53b5ac615497da9 /auth-krb5.c
parent	f38db7f5dae83b5aeeab681edd266a62b3ebc1f6 (diff)