openssh bugs - Oct 2003 - [Bug 751] KRB5CCNAME set incorrectly in GSSAPI code

http://bugzilla.mindrot.org/show_bug.cgi?id=751

           Summary: KRB5CCNAME set incorrectly in GSSAPI code
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: smichaud at pobox.com


This is something we missed when going over the GSSAPI code this August.

The code in ssh_gssapi_krb5_storecreds() in gss-serv-krb5.c doesn't set the
KRB5CCNAME environment variable correctly.  At present it includes only the
cache's "name".  But it should actually include both it's
"type" and it's
"name", separated by a colon ':' -- e.g.
"FILE:/tmp/krb5cc_100_Ao7629".  (Simon
Wilkinson's patches to 3.6.1p2 and previous versions did this correctly.)

I'll add a patch to fix the problem.  I made the code general enough to work
with other cache "types" -- e.g. API or MEMORY.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=751





------- Additional Comments From smichaud at pobox.com  2003-10-31 07:24 -------
Created an attachment (id=490)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=490&action=view)
Fix to set KRB5CCNAME correctly in GSSAPI code




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=751

smichaud at pobox.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #490 is|0                           |1
           obsolete|                            |



------- Additional Comments From smichaud at pobox.com  2003-10-31 07:36 -------
Created an attachment (id=491)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=491&action=view)
Another patch to set KRB5CCNAME correctly in GSSAPI code

Oops, my first fix wasn't general enough.  Here's a better one.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=751





------- Additional Comments From simon at sxw.org.uk  2003-11-02 12:37 -------
I think this patch is probably over complex.

In both the Heimdal and MIT cases we constrain ourselves to FILE: credential
caches (the call to the Heimdal variant with &krb5_fcc_ops, and the
'FILE:'
prefix to the MIT code). Under Unix, MIT Kerberos defaults to using
'FILE' when
no credential cache type is given and Heimdal always defaults to using
'FILE'.

For correctness, we should probably prefix the cache with 'FILE'.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.