- dtucker@cvs.openbsd.org 2005/11/21 09:42:10

[auth-krb5.c] Perform Kerberos calls even for invalid users to prevent leaking information about account validity. bz #975, patch originally from Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, ok markus@
author: Darren Tucker <dtucker@zip.com.au> 2005-11-22 19:42:42 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-11-22 19:42:42 +1100
commit: f4732f647572f40d93f4fbd1e65d744ed10b2620 (patch)
tree: e26808c082fcbca769626081462a9e8f764f4d22 /auth-krb5.c
parent: e8400da9d53700872c9dea6b9d52af98c59022b9 (diff)
1 files changed, 2 insertions, 5 deletions
diff --git a/auth-krb5.c b/auth-krb5.c
index a84e5401c..64d613543 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        krb5_ccache ccache = NULL;
        int len;
-        if (!authctxt->valid)
-                return (0);
        temporarily_use_uid(authctxt->pw);
        problem = krb5_init(authctxt);
@@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                else
                        return (0);
        }
-        return (1);
+        return (authctxt->valid ? 1 : 0);
 }
 void
author	Darren Tucker <dtucker@zip.com.au>	2005-11-22 19:42:42 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-11-22 19:42:42 +1100
commit	f4732f647572f40d93f4fbd1e65d744ed10b2620 (patch)
tree	e26808c082fcbca769626081462a9e8f764f4d22 /auth-krb5.c
parent	e8400da9d53700872c9dea6b9d52af98c59022b9 (diff)