From 942da039d2a05e6f491883f50b516175a6dbb20f Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 18 Aug 2000 13:59:06 +1000
Subject:  - (djm) OpenBSD CVS changes:    - markus@cvs.openbsd.org  2000/07/22
 03:14:37      [servconf.c servconf.h sshd.8 sshd.c sshd_config]      random
 early drop; ok theo, niels    - deraadt@cvs.openbsd.org 2000/07/26 11:46:51  
    [ssh.1]      typo    - deraadt@cvs.openbsd.org 2000/08/01 11:46:11     
 [sshd.8]      many fixes from pepper@mail.reppep.com    -
 provos@cvs.openbsd.org  2000/08/01 13:01:42      [Makefile.in util.c aux.c]  
    rename aux.c to util.c to help with cygwin port    -
 deraadt@cvs.openbsd.org 2000/08/02 00:23:31      [authfd.c]      correct
 sun_len; Alexander@Leidinger.net    - provos@cvs.openbsd.org  2000/08/02
 10:27:17      [readconf.c sshd.8]      disable kerberos authentication by
 default    - provos@cvs.openbsd.org  2000/08/02 11:27:05      [sshd.8
 readconf.c auth-krb4.c]      disallow kerberos authentication if we can't
 verify the TGT; from      dugsong@      kerberos authentication is on by
 default only if you have a srvtab.    - markus@cvs.openbsd.org  2000/08/04
 14:30:07      [auth.c]      unused    - markus@cvs.openbsd.org  2000/08/04
 14:30:35      [sshd_config]      MaxStartups    - markus@cvs.openbsd.org 
 2000/08/15 13:20:46      [authfd.c]      cleanup; ok niels@    -
 markus@cvs.openbsd.org  2000/08/17 14:05:10      [session.c]      cleanup
 login(1)-like jobs, no duplicate utmp entries    - markus@cvs.openbsd.org 
 2000/08/17 14:06:34      [session.c sshd.8 sshd.c]       sshd -u len, similar
 to telnetd

---
 auth-krb4.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'auth-krb4.c')

diff --git a/auth-krb4.c b/auth-krb4.c
index e32089b74..ae2b2a3d8 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -9,7 +9,7 @@
 #include "ssh.h"
 #include "servconf.h"
 
-RCSID("$OpenBSD: auth-krb4.c,v 1.15 2000/06/22 23:54:59 djm Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.16 2000/08/02 17:27:04 provos Exp $");
 
 #ifdef KRB4
 char *ticket = NULL;
@@ -82,11 +82,12 @@ auth_krb4_password(struct passwd * pw, const char *password)
 			if (r == RD_AP_UNDEC) {
 				/*
 				 * Probably didn't have a srvtab on
-				 * localhost. Allow login.
+				 * localhost. Disallow login.
 				 */
 				log("Kerberos V4 TGT for %s unverifiable, "
 				    "no srvtab installed? krb_rd_req: %s",
 				    pw->pw_name, krb_err_txt[r]);
+				goto kerberos_auth_failure;
 			} else if (r != KSUCCESS) {
 				log("Kerberos V4 %s ticket unverifiable: %s",
 				    KRB4_SERVICE_NAME, krb_err_txt[r]);
@@ -94,12 +95,13 @@ auth_krb4_password(struct passwd * pw, const char *password)
 			}
 		} else if (r == KDC_PR_UNKNOWN) {
 			/*
-			 * Allow login if no rcmd service exists, but
+			 * Disallow login if no rcmd service exists, and
 			 * log the error.
 			 */
 			log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
 			    "not registered, or srvtab is wrong?", pw->pw_name,
 			krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+			goto kerberos_auth_failure;
 		} else {
 			/*
 			 * TGT is bad, forget it. Possibly spoofed!
-- 
cgit v1.2.3