Bugzilla – Attachment 185 Details for
Bug 456
Krb5 ticket forwarding is tryied even if krb5 authentication failed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Don't delegate/accept delegated ticket if krb5 authentication hasn't been done
openssh.patch (text/plain), 3.06 KB, created by
Daniel Kouril
on 2002-12-13 20:34:52 AEDT
(
hide
)
Description:
Don't delegate/accept delegated ticket if krb5 authentication hasn't been done
Filename:
MIME Type:
Creator:
Daniel Kouril
Created:
2002-12-13 20:34:52 AEDT
Size:
3.06 KB
patch
obsolete
>--- auth-krb5.c.orig Fri Dec 13 10:04:12 2002 >+++ auth-krb5.c Fri Dec 13 10:04:52 2002 >@@ -161,6 +161,7 @@ > else > debug("Kerberos v5 authentication failed: %d", > problem); >+ krb5_cleanup_proc(authctxt); > } > > return (ret); >@@ -174,7 +175,8 @@ > char *pname; > krb5_creds **creds; > >- if (authctxt->pw == NULL || authctxt->krb5_user == NULL) >+ if (authctxt->pw == NULL || authctxt->krb5_user == NULL || >+ authctxt->krb5_auth_ctx == NULL) > return (0); > > temporarily_use_uid(authctxt->pw); >--- sshconnect1.c.orig Fri Dec 13 10:05:01 2002 >+++ sshconnect1.c Fri Dec 13 10:09:08 2002 >@@ -515,17 +515,20 @@ > int type; > krb5_ap_rep_enc_part *reply = NULL; > int ret; >+ krb5_context ctx = NULL; >+ krb5_auth_context auth_ctx = NULL; >+ > > memset(&ap, 0, sizeof(ap)); > >- problem = krb5_init_context(context); >+ problem = krb5_init_context(&ctx); > if (problem) { > debug("Kerberos v5: krb5_init_context failed"); > ret = 0; > goto out; > } > >- problem = krb5_auth_con_init(*context, auth_context); >+ problem = krb5_auth_con_init(ctx, &auth_ctx); > if (problem) { > debug("Kerberos v5: krb5_auth_con_init failed"); > ret = 0; >@@ -533,7 +536,7 @@ > } > > #ifndef HEIMDAL >- problem = krb5_auth_con_setflags(*context, *auth_context, >+ problem = krb5_auth_con_setflags(ctx, auth_ctx, > KRB5_AUTH_CONTEXT_RET_TIME); > if (problem) { > debug("Keberos v5: krb5_auth_con_setflags failed"); >@@ -542,7 +545,7 @@ > } > #endif > >- tkfile = krb5_cc_default_name(*context); >+ tkfile = krb5_cc_default_name(ctx); > if (strncmp(tkfile, "FILE:", 5) == 0) > tkfile += 5; > >@@ -552,21 +555,21 @@ > goto out; > } > >- problem = krb5_cc_default(*context, &ccache); >+ problem = krb5_cc_default(ctx, &ccache); > if (problem) { > debug("Kerberos v5: krb5_cc_default failed: %s", >- krb5_get_err_text(*context, problem)); >+ krb5_get_err_text(ctx, problem)); > ret = 0; > goto out; > } > > remotehost = get_canonical_hostname(1); > >- problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, >+ problem = krb5_mk_req(ctx, &auth_ctx, AP_OPTS_MUTUAL_REQUIRED, > "host", remotehost, NULL, ccache, &ap); > if (problem) { > debug("Kerberos v5: krb5_mk_req failed: %s", >- krb5_get_err_text(*context, problem)); >+ krb5_get_err_text(ctx, problem)); > ret = 0; > goto out; > } >@@ -596,7 +599,7 @@ > packet_check_eom(); > /* XXX je to dobre? */ > >- problem = krb5_rd_rep(*context, *auth_context, &ap, &reply); >+ problem = krb5_rd_rep(ctx, auth_ctx, &ap, &reply); > if (problem) { > ret = 0; > } >@@ -611,17 +614,27 @@ > > } > >+ *context = ctx; >+ ctx = NULL; >+ *auth_context = auth_ctx; >+ auth_ctx = NULL; >+ > out: > if (ccache != NULL) >- krb5_cc_close(*context, ccache); >+ krb5_cc_close(ctx, ccache); > if (reply != NULL) >- krb5_free_ap_rep_enc_part(*context, reply); >+ krb5_free_ap_rep_enc_part(ctx, reply); > if (ap.length > 0) > #ifdef HEIMDAL > krb5_data_free(&ap); > #else >- krb5_free_data_contents(*context, &ap); >+ krb5_free_data_contents(ctx, &ap); > #endif >+ if (auth_ctx != NULL) >+ krb5_auth_con_free(ctx, auth_ctx); >+ >+ if (ctx != NULL) >+ krb5_free_context(ctx); > > return (ret); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=185">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 456
: 185