Darren Tucker
2003-Aug-08 03:53 UTC
Help request: merging OpenBSD Kerberos change into Portable.
Hi All. I'm looking for some help to merge an outstanding Kerberos credential cache change from OpenBSD into Portable. I don't know enough about Kerberos to figure out how that change should be applied for the non-Heimdal(?) code path. The outstanding diff is attached. Any volunteers? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- revision 1.11 date: 2003/07/16 15:02:06; author: markus; state: Exp; lines: +23 -6 mcc -> fcc; from Love H?rnquist ?strand <lha at it.su.se> otherwise the kerberos credentinal is stored in a memory cache in the privileged sshd. ok jabob@, hin@ (some time ago) ============================================================================ Index: auth-krb5.c ==================================================================RCS file: /cvs/src/usr.bin/ssh/auth-krb5.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -p -u -r1.10 -r1.11 --- auth-krb5.c 2002/11/21 23:03:51 1.10 +++ auth-krb5.c 2003/07/16 15:02:06 1.11 @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; - problem = krb5_cc_initialize(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache, authctxt->krb5_user); + problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, + authctxt->krb5_user); if (problem) goto out; restore_uid(); + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->krb5_fwd_ccache, password, 1, NULL); + ccache, password, 1, NULL); + temporarily_use_uid(authctxt->pw); if (problem) goto out; + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, + &authctxt->krb5_fwd_ccache); + if (problem) + goto out; + + problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache, + authctxt->krb5_fwd_ccache); + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + ccache = NULL; + if (problem) + goto out; + authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); out: restore_uid(); if (problem) { + if (ccache) + krb5_cc_destroy(authctxt->krb5_ctx, ccache); + if (authctxt->krb5_ctx != NULL) debug("Kerberos password authentication failed: %s", krb5_get_err_text(authctxt->krb5_ctx, problem));
sxw at inf.ed.ac.uk
2003-Aug-08 09:36 UTC
Help request: merging OpenBSD Kerberos change into Portable.
On Fri, 8 Aug 2003, Darren Tucker wrote:> Hi All. > I'm looking for some help to merge an outstanding Kerberos > credential cache change from OpenBSD into Portable. I don't know enough > about Kerberos to figure out how that change should be applied for the > non-Heimdal(?) code path.There aren't any changes necessary in the non-Heimdal path. The change moves the Heimdal code from using a memory based ccache to store user credentials, to using a file based one. The non-Heimdal code has always used a file based ccache. [Aside: It would be significantly nicer architecturaly to store a users credentials in memory until the last minute, and then have one location in which they are written out, rather than the current situation where the store credentials code is duplicated.] Cheers, Simon