Patch to auth-krb4.c

Fri Nov 2 09:26:31 EST 2001

- In the MIT k4 emulation libraries that come with version 1.2.* of
the MIT src code there is an internal check that the owner of
a tkt and the owner of a process must match in order for the
library calls to succeed. This is a change from older versions
of the code and the kth libraries.

-Basically what happens is that auth_krb4_password does the
chown on the credentials before it is through with them. In order
for the MIT k4 emulation libraries to work correctly, this
chown[1] must be delayed until after the tkt is verified against
the local srvtab. I'm not sure why the chown is where it is
anyway. Unless the verification succeeds, the tkt is destroyed.
So, this patch won't change any behaviour with current kerberos
libraries and will make the code compatible with the MIT K5
src code.

- While the current version of openssl and MIT K5 are incompatible
out of the box, this won't be true with openssl.0.9.7. To make
this work locally, I've hacked the MIT des425 libraries.

- Booker C. Bense

[1]- Login.krb5 in the new k5 src tree goes to great lengths
     to avoid chowning tkt files. There is some subtle race
     condition here that I don't understand well enough to
     know whether sshd is vulnerable.
-------------- next part --------------
Index: auth-krb4.c
===================================================================
RCS file: /afs/ir/dev/cvs/kerberos/openssh/auth-krb4.c,v
retrieving revision 1.1.1.1
retrieving revision 1.3
diff -u -r1.1.1.1 -r1.3

--- auth-krb4.c	2001/10/01 18:18:44	1.1.1.1
+++ auth-krb4.c	2001/11/01 22:01:51	1.3
@@ -122,12 +122,18 @@
 		r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
 		    "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
 		if (r != INTK_OK) {
-			debug("Kerberos v4 password authentication for %s "
-			    "failed: %s", pw->pw_name, krb_err_txt[r]);
+			debug("Kerberos v4 password authentication for %s@%s "
+			    "failed: %s", pw->pw_name, realm, krb_err_txt[r]);
 			goto failure;
 		}
+		
+		/* In the MIT K5 k4 emulation libraries, the uid of the process
+		   must match the uid of the owner of the tkt file or the library
+		   calls will fail. This is a change from both kth and the older
+		   cygnus code. This means the chown must happen after any verfication.
+		*/ 
 		/* Successful authentication. */
-		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+		/* chown(tkt_string(), pw->pw_uid, pw->pw_gid); */ 
 		
 		/*
 		 * Now that we have a TGT, try to get a local
@@ -182,6 +188,7 @@
 			goto failure;
 		}
 		/* Authentication succeeded. */
+		chown(tkt_string(), pw->pw_uid, pw->pw_gid); 
 		return (1);
 	} else
 		/* Logging in as root or no local Kerberos realm. */
