summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2003-07-16 15:02:07 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2003-07-16 15:02:07 +0000
commit92c3af000ebe1feb86a6077ef8b846b97e62bb8e (patch)
tree04ac9beec1ab3a75c49519842fe8d33bcf5fcfb7
parent38f63e57aae6ac8a478eae6653110f551ed5bebb (diff)
mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
otherwise the kerberos credentinal is stored in a memory cache in the privileged sshd. ok jabob@, hin@ (some time ago)
-rw-r--r--usr.bin/ssh/auth-krb5.c29
1 files changed, 23 insertions, 6 deletions
diff --git a/usr.bin/ssh/auth-krb5.c b/usr.bin/ssh/auth-krb5.c
index e5ade6502b1..5162732c46c 100644
--- a/usr.bin/ssh/auth-krb5.c
+++ b/usr.bin/ssh/auth-krb5.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -208,6 +208,7 @@ int
auth_krb5_password(Authctxt *authctxt, const char *password)
{
krb5_error_code problem;
+ krb5_ccache ccache = NULL;
if (authctxt->pw == NULL)
return (0);
@@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
- problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
- &authctxt->krb5_fwd_ccache);
+ problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
if (problem)
goto out;
- problem = krb5_cc_initialize(authctxt->krb5_ctx,
- authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+ problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
+ authctxt->krb5_user);
if (problem)
goto out;
restore_uid();
+
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->krb5_fwd_ccache, password, 1, NULL);
+ ccache, password, 1, NULL);
+
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
+ problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+ &authctxt->krb5_fwd_ccache);
+ if (problem)
+ goto out;
+
+ problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+ authctxt->krb5_fwd_ccache);
+ krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+ ccache = NULL;
+ if (problem)
+ goto out;
+
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
out:
restore_uid();
if (problem) {
+ if (ccache)
+ krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
if (authctxt->krb5_ctx != NULL)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));