[Fwd: Kerberos buglet in OpenSSH-3.3p1]
Jacques A. Vidrine
nectar at FreeBSD.org
Thu Jun 27 00:10:16 EST 2002
On Wed, Jun 26, 2002 at 07:35:14PM +1000, Damien Miller wrote:
> Can anyone with Heimdal KrbV verify this?
I've used this patch for many moons with Heimdal. It should do the
right thing in the MIT Kerberos case, also.
--- servconf.c Fri Jun 21 01:20:44 2002
+++ servconf.c.good Wed Jun 26 09:05:09 2002
@@ -16,13 +16,7 @@
#include <krb.h>
#endif
#if defined(KRB5)
-#ifdef HEIMDAL
-#include <krb.h>
-#else
-/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
-#define KEYFILE "/etc/krb5.keytab"
-#endif
+extern const char *krb5_defkeyname;
#endif
#ifdef AFS
#include <kafs.h>
@@ -130,6 +124,10 @@
void
fill_default_server_options(ServerOptions *options)
{
+ int krb4_keyfile, krb5_keyfile;
+
+ krb4_keyfile = krb5_keyfile = 0;
+
/* Portable-specific options */
if (options->pam_authentication_via_kbd_int == -1)
options->pam_authentication_via_kbd_int = 0;
@@ -199,9 +197,15 @@
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
+#ifdef KRB4
+ krb4_keyfile = (access(KEYFILE, R_OK) == 0);
+#endif
+#ifdef KRB5
+ krb5_keyfile = (access(krb5_defkeyname, R_OK) == 0);
+#endif
#if defined(KRB4) || defined(KRB5)
if (options->kerberos_authentication == -1)
- options->kerberos_authentication = 0;
+ options->kerberos_authentication = krb4_keyfile||krb5_keyfile;
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
Content-Description: Forwarded message - Kerberos buglet in OpenSSH-3.3p1
> Date: 25 Jun 2002 14:52:10 +0200
> From: Dag-Erling Smorgrav <des at ofug.org>
> To: djm at mindrot.org
> Subject: Kerberos buglet in OpenSSH-3.3p1
>
> servconf.c includes the wrong header for Kerberos V:
>
> --- servconf.c 24 Jun 2002 22:46:15 -0000 1.111
> +++ servconf.c 25 Jun 2002 01:16:22 -0000
> @@ -17,7 +17,7 @@
> #endif
> #if defined(KRB5)
> #ifdef HEIMDAL
> -#include <krb.h>
> +#include <krb5.h>
> #else
> /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
> * keytab */
>
> DES
> --
> Dag-Erling Smorgrav - des at ofug.org
--
Jacques A. Vidrine <n at nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the openssh-unix-dev
mailing list