diff options
| author | Damien Miller <djm@mindrot.org> | 2005-08-31 19:46:26 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2005-08-31 19:46:26 +1000 |
| commit | da9984fc3aafc194485556ae2c7dc6c52cbd56c2 (patch) | |
| tree | f34f637005409c5d30b393dffe519bf7216d7f6f /gss-serv.c | |
| parent | ca9ce95bdda599dbfa566385e66732327f27dd30 (diff) | |
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/08/30 22:08:05
[gss-serv.c sshconnect2.c]
destroy credentials if krb5_kuserok() call fails. Stops credentials being
delegated to users who are not authorised for GSSAPIAuthentication when
GSSAPIDeletegateCredentials=yes and another authentication mechanism
succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
Diffstat (limited to 'gss-serv.c')
| -rw-r--r-- | gss-serv.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/gss-serv.c b/gss-serv.c index e191eb5a0..117130459 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | |||
| 275 | int | 275 | int |
| 276 | ssh_gssapi_userok(char *user) | 276 | ssh_gssapi_userok(char *user) |
| 277 | { | 277 | { |
| 278 | OM_uint32 lmin; | ||
| 279 | |||
| 278 | if (gssapi_client.exportedname.length == 0 || | 280 | if (gssapi_client.exportedname.length == 0 || |
| 279 | gssapi_client.exportedname.value == NULL) { | 281 | gssapi_client.exportedname.value == NULL) { |
| 280 | debug("No suitable client data"); | 282 | debug("No suitable client data"); |
| 281 | return 0; | 283 | return 0; |
| 282 | } | 284 | } |
| 283 | if (gssapi_client.mech && gssapi_client.mech->userok) | 285 | if (gssapi_client.mech && gssapi_client.mech->userok) |
| 284 | return ((*gssapi_client.mech->userok)(&gssapi_client, user)); | 286 | if ((*gssapi_client.mech->userok)(&gssapi_client, user)) |
| 287 | return 1; | ||
| 288 | else { | ||
| 289 | /* Destroy delegated credentials if userok fails */ | ||
| 290 | gss_release_buffer(&lmin, &gssapi_client.displayname); | ||
| 291 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | ||
| 292 | gss_release_cred(&lmin, &gssapi_client.creds); | ||
| 293 | memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); | ||
| 294 | return 0; | ||
| 295 | } | ||
| 285 | else | 296 | else |
| 286 | debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); | 297 | debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); |
| 287 | return (0); | 298 | return (0); |