summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog12
-rw-r--r--gss-serv.c15
-rw-r--r--sshconnect2.c5
3 files changed, 27 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index e88efdbfa..5d48e8f5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,14 @@
120050830 120050830
2 - (djm) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2005/08/30 22:08:05
4 [gss-serv.c sshconnect2.c]
5 destroy credentials if krb5_kuserok() call fails. Stops credentials being
6 delegated to users who are not authorised for GSSAPIAuthentication when
7 GSSAPIDeletegateCredentials=yes and another authentication mechanism
8 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
9 simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
10
1120050830
2 - (tim) [configure.ac] Back out last change. It needs to be done differently. 12 - (tim) [configure.ac] Back out last change. It needs to be done differently.
3 13
420050829 1420050829
@@ -2968,4 +2978,4 @@
2968 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 2978 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
2969 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 2979 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
2970 2980
2971$Id: ChangeLog,v 1.3882 2005/08/31 09:42:20 djm Exp $ 2981$Id: ChangeLog,v 1.3883 2005/08/31 09:46:26 djm Exp $
diff --git a/gss-serv.c b/gss-serv.c
index e191eb5a0..117130459 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
275int 275int
276ssh_gssapi_userok(char *user) 276ssh_gssapi_userok(char *user)
277{ 277{
278 OM_uint32 lmin;
279
278 if (gssapi_client.exportedname.length == 0 || 280 if (gssapi_client.exportedname.length == 0 ||
279 gssapi_client.exportedname.value == NULL) { 281 gssapi_client.exportedname.value == NULL) {
280 debug("No suitable client data"); 282 debug("No suitable client data");
281 return 0; 283 return 0;
282 } 284 }
283 if (gssapi_client.mech && gssapi_client.mech->userok) 285 if (gssapi_client.mech && gssapi_client.mech->userok)
284 return ((*gssapi_client.mech->userok)(&gssapi_client, user)); 286 if ((*gssapi_client.mech->userok)(&gssapi_client, user))
287 return 1;
288 else {
289 /* Destroy delegated credentials if userok fails */
290 gss_release_buffer(&lmin, &gssapi_client.displayname);
291 gss_release_buffer(&lmin, &gssapi_client.exportedname);
292 gss_release_cred(&lmin, &gssapi_client.creds);
293 memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
294 return 0;
295 }
285 else 296 else
286 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); 297 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
287 return (0); 298 return (0);
diff --git a/sshconnect2.c b/sshconnect2.c
index baee664ea..ee7932d68 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $"); 26RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
27 27
28#include "openbsd-compat/sys-queue.h" 28#include "openbsd-compat/sys-queue.h"
29 29
@@ -545,7 +545,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
545 Authctxt *authctxt = ctxt; 545 Authctxt *authctxt = ctxt;
546 Gssctxt *gssctxt = authctxt->methoddata; 546 Gssctxt *gssctxt = authctxt->methoddata;
547 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 547 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
548 gss_buffer_desc gssbuf, mic; 548 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
549 gss_buffer_desc gssbuf;
549 OM_uint32 status, ms, flags; 550 OM_uint32 status, ms, flags;
550 Buffer b; 551 Buffer b;
551 552
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 19:52:37 +0000