From ec0943a96c80c920bee584240a889ae7b619b4e8 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Mon, 11 Aug 2003 22:55:36 +1000
Subject: =?UTF-8?q?=20-=20(dtucker)=20OpenBSD=20CVS=20Sync=20=20=20=20(tha?=
 =?UTF-8?q?nks=20to=20Simon=20Wilkinson=20for=20help=20with=20this=20-dt)?=
 =?UTF-8?q?=20=20=20=20-=20markus@cvs.openbsd.org=202003/07/16=2015:02:06?=
 =?UTF-8?q?=20=20=20=20=20=20[auth-krb5.c]=20=20=20=20=20=20mcc=20->=20fcc?=
 =?UTF-8?q?;=20from=20Love=20H=C3=B6rnquist=20=C3=85strand=20<lha@it.su.se?=
 =?UTF-8?q?>=20=20=20=20=20=20otherwise=20the=20kerberos=20credentinal=20i?=
 =?UTF-8?q?s=20stored=20in=20a=20memory=20cache=20=20=20=20=20=20in=20the?=
 =?UTF-8?q?=20privileged=20sshd.=20ok=20jabob@,=20hin@=20(some=20time=20ag?=
 =?UTF-8?q?o)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 auth-krb5.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

(limited to 'auth-krb5.c')

diff --git a/auth-krb5.c b/auth-krb5.c
index 0a6f826e..b04c6649 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	int tmpfd;
 #endif	
 	krb5_error_code problem;
+	krb5_ccache ccache = NULL;
 
 	if (authctxt->pw == NULL)
 		return (0);
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		goto out;
 
 #ifdef HEIMDAL
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
-	    &authctxt->krb5_fwd_ccache);
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_initialize(authctxt->krb5_ctx,
-	    authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
+		authctxt->krb5_user);
 	if (problem)
 		goto out;
 
 	restore_uid();
+	
 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-	    authctxt->krb5_fwd_ccache, password, 1, NULL);
+	    ccache, password, 1, NULL);
+	
 	temporarily_use_uid(authctxt->pw);
 
 	if (problem)
 		goto out;
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+	    &authctxt->krb5_fwd_ccache);
+	if (problem)
+		goto out;
+
+	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+	    authctxt->krb5_fwd_ccache);
+	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+	ccache = NULL;
+	if (problem)
+		goto out;
 
 #else
 	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	restore_uid();
 
 	if (problem) {
+		if (ccache)
+			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
 		if (authctxt->krb5_ctx != NULL && problem!=-1)
 			debug("Kerberos password authentication failed: %s",
 			    krb5_get_err_text(authctxt->krb5_ctx, problem));
-- 
cgit v1.2.3