patch: disable credential forwarding after password auth.

Tue Jul 30 17:36:36 EST 2002

Dear list,

since the order of authentication and AFS token/KRB TGT forwarding
changed (around 3.0), we have had problems with users accidentally
overwriting their credentials from a "password" login with forwarded
credentials. E.g. user A logs in as user B, but stays with the AFS
permissions of user A. A workaround is to use "-k" on these sessions,
but "it worked without before...".

The appended patch rejects credential forwarding after a successful
password authentication. While there may be uses for such a credential
forwarding after password auth (remote cell credentials), in my
experience practically nobody uses them (at least not here).

Now, if somebody has ideas how to interoperate with older clients
(which try to do the credential forwarding before authentication), I'd
be most grateful.

Best regards
Jan

--- openssh-3.4p1.orig/auth-passwd.c	Fri Jun 21 08:05:13 2002
+++ openssh-3.4p1/auth-passwd.c	Mon Jul 29 16:39:48 2002
@@ -89,14 +89,19 @@
 int
 auth_password(Authctxt *authctxt, const char *password)
 {
+	int retval = 0;
 #if defined(USE_PAM)
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
-	return auth_pam_password(authctxt, password);
+	if (*password == '\0' && options.permit_empty_passwd == 0) {
+		retval=0 ; goto out;
+	}
+	retval=auth_pam_password(authctxt, password);
+	goto out;
 #elif defined(HAVE_OSF_SIA)
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
-	return auth_sia_password(authctxt, password);
+	if (*password == '\0' && options.permit_empty_passwd == 0) {
+		retval=0 ; goto out; 
+	}
+	retval=auth_sia_password(authctxt, password);
+	goto out;
 #else
 	struct passwd * pw = authctxt->pw;
 	char *encrypted_password;
@@ -118,19 +123,23 @@
 #endif
 
 	/* deny if no user. */
-	if (pw == NULL)
-		return 0;
+	if (pw == NULL) {
+		retval=0 ; goto out;
+	}
 #ifndef HAVE_CYGWIN
-       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-		return 0;
+	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
+		retval=0 ; goto out;
+	}
 #endif
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
+	if (*password == '\0' && options.permit_empty_passwd == 0) { 
+	 	retval=0 ; goto out;
+	}
 #ifdef KRB5
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb5_password(authctxt, password);
-		if (ret == 1 || ret == 0)
-			return ret;
+		if (ret == 1 || ret == 0) {
+			 retval=ret ; goto out;
+		}
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
@@ -138,29 +147,34 @@
 	if (is_winnt) {
 		HANDLE hToken = cygwin_logon_user(pw, password);
 
-		if (hToken == INVALID_HANDLE_VALUE)
-			return 0;
+		if (hToken == INVALID_HANDLE_VALUE) {
+			retval=0 ; goto out;
+		}
 		cygwin_set_impersonation_token(hToken);
-		return 1;
+		retval=1;
+		goto out; 
 	}
 #endif
 #ifdef WITH_AIXAUTHENTICATE
-	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+	retval=(authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+	goto out;
 #endif
 #ifdef KRB4
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb4_password(authctxt, password);
-		if (ret == 1 || ret == 0)
-			return ret;
+		if (ret == 1 || ret == 0) {
+			retval=ret ; goto out;
+		}
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
 #ifdef BSD_AUTH
 	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
-	    (char *)password) == 0)
-		return 0;
-	else
-		return 1;
+			  (char *)password) == 0) {
+		retval=0 ; goto out;
+	} else {
+		retval=1 ; goto out;
+	}
 #endif
 	pw_password = pw->pw_passwd;
 
@@ -189,8 +203,9 @@
 #endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
 
 	/* Check for users with no password. */
-	if ((password[0] == '\0') && (pw_password[0] == '\0'))
-		return 1;
+	if ((password[0] == '\0') && (pw_password[0] == '\0')) {
+		retval=1 ; goto out;
+	}
 
 	if (pw_password[0] != '\0')
 		salt = pw_password;
@@ -218,6 +233,17 @@
 #endif /* HAVE_MD5_PASSWORDS */
 
 	/* Authentication is accepted if the encrypted passwords are identical. */
-	return (strcmp(encrypted_password, pw_password) == 0);
+	retval=(strcmp(encrypted_password, pw_password) == 0);
+	goto out;
 #endif /* !USE_PAM && !HAVE_OSF_SIA */
+
+
+ out:
+
+	if (retval) {
+	  debug("Disabling KRB4 TGT and AFS token forwarding after successful password auth");
+	  options.afs_token_passing = 0;
+	  options.kerberos_tgt_passing = 0;
+	}
+	return retval;
 }





