From 8f1873191478847773906af961c8984d02a49dd6 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 24 Oct 2013 10:53:02 +1100
Subject:  - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok
 check    rather than full client name which may be of form user@REALM;   
 patch from Miguel Sanders; ok dtucker@

---
 ChangeLog   | 5 +++++
 auth-krb5.c | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index a4af4e897..26b5c5d7a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20131024
+ - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
+   rather than full client name which may be of form user@REALM;
+   patch from Miguel Sanders; ok dtucker@
+
 20131023
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2013/10/20 04:39:28
diff --git a/auth-krb5.c b/auth-krb5.c
index 7c83f597f..6c62bdf54 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -157,7 +157,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
+	    authctxt->pw->pw_name)) {
 		problem = -1;
 		goto out;
 	}
-- 
cgit v1.2.3