diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2003-07-16 15:02:07 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2003-07-16 15:02:07 +0000 |
commit | 92c3af000ebe1feb86a6077ef8b846b97e62bb8e (patch) | |
tree | 04ac9beec1ab3a75c49519842fe8d33bcf5fcfb7 | |
parent | 38f63e57aae6ac8a478eae6653110f551ed5bebb (diff) |
mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
otherwise the kerberos credentinal is stored in a memory cache
in the privileged sshd. ok jabob@, hin@ (some time ago)
-rw-r--r-- | usr.bin/ssh/auth-krb5.c | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/usr.bin/ssh/auth-krb5.c b/usr.bin/ssh/auth-krb5.c index e5ade6502b1..5162732c46c 100644 --- a/usr.bin/ssh/auth-krb5.c +++ b/usr.bin/ssh/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; - problem = krb5_cc_initialize(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache, authctxt->krb5_user); + problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, + authctxt->krb5_user); if (problem) goto out; restore_uid(); + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->krb5_fwd_ccache, password, 1, NULL); + ccache, password, 1, NULL); + temporarily_use_uid(authctxt->pw); if (problem) goto out; + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, + &authctxt->krb5_fwd_ccache); + if (problem) + goto out; + + problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache, + authctxt->krb5_fwd_ccache); + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + ccache = NULL; + if (problem) + goto out; + authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); out: restore_uid(); if (problem) { + if (ccache) + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + if (authctxt->krb5_ctx != NULL) debug("Kerberos password authentication failed: %s", krb5_get_err_text(authctxt->krb5_ctx, problem)); |