[Bug 1073] if userok rejects a user their creds still get set
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 26 06:49:36 EST 2005
http://bugzilla.mindrot.org/show_bug.cgi?id=1073
Summary: if userok rejects a user their creds still get set
Product: Portable OpenSSH
Version: 3.9p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: bitbucket at mindrot.org
ReportedBy: paul.moore at centrify.com
Tested on 3.9p1 - code inspection shows the same issue in 4.x
I have gss_auth setup on both ends. Works fine. I decide that I need to ssh to
the server as a differnet user.
So I do ssh notme@<host>
Then
a) I get prompted for a password for notme and log in ok
b) the credential cache is set to krb5cc_<uid>_xxxx and is loaded my
originating credentials, even though I am not logged on as that principal
This is very surprising
The reason is that kuserok is called right at the end of auth, the creds have
been forwarded and sshd is ready to set up the logged in users' envirnment; ten
right at the last moment we decide not to allow gss to work - but sshd still
stores the creds it has
one line fix to this. In ssh_gssapi_krb5_userok, after failure do
krb5_free_creds(krb_context, client->creds);
this blows the forwarded creds away and so storecreds (called later ) does
nothing
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list