[Fwd: Kerberos buglet in OpenSSH-3.3p1]

Jacques A. Vidrine nectar at FreeBSD.org
Thu Jun 27 00:10:16 EST 2002 

On Wed, Jun 26, 2002 at 07:35:14PM +1000, Damien Miller wrote:
> Can anyone with Heimdal KrbV verify this?

I've used this patch for many moons with Heimdal.  It should do the
right thing in the MIT Kerberos case, also.

--- servconf.c	Fri Jun 21 01:20:44 2002
+++ servconf.c.good	Wed Jun 26 09:05:09 2002
@@ -16,13 +16,7 @@
 #include <krb.h>
 #endif
 #if defined(KRB5)
-#ifdef HEIMDAL
-#include <krb.h>
-#else
-/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
-#define KEYFILE "/etc/krb5.keytab"
-#endif
+extern const char *krb5_defkeyname;
 #endif
 #ifdef AFS
 #include <kafs.h>
@@ -130,6 +124,10 @@
 void
 fill_default_server_options(ServerOptions *options)
 {
+	int krb4_keyfile, krb5_keyfile;
+
+	krb4_keyfile = krb5_keyfile = 0;
+
 	/* Portable-specific options */
 	if (options->pam_authentication_via_kbd_int == -1)
 		options->pam_authentication_via_kbd_int = 0;
@@ -199,9 +197,15 @@
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
+#ifdef KRB4
+	krb4_keyfile = (access(KEYFILE, R_OK) == 0);
+#endif
+#ifdef KRB5
+	krb5_keyfile = (access(krb5_defkeyname, R_OK) == 0);
+#endif
 #if defined(KRB4) || defined(KRB5)
 	if (options->kerberos_authentication == -1)
-		options->kerberos_authentication = 0;
+		options->kerberos_authentication = krb4_keyfile||krb5_keyfile;
 	if (options->kerberos_or_local_passwd == -1)
 		options->kerberos_or_local_passwd = 1;
 	if (options->kerberos_ticket_cleanup == -1)

Content-Description: Forwarded message - Kerberos buglet in OpenSSH-3.3p1
> Date: 25 Jun 2002 14:52:10 +0200
> From: Dag-Erling Smorgrav <des at ofug.org>
> To: djm at mindrot.org
> Subject: Kerberos buglet in OpenSSH-3.3p1
> 
> servconf.c includes the wrong header for Kerberos V:
> 
> --- servconf.c   24 Jun 2002 22:46:15 -0000      1.111
> +++ servconf.c   25 Jun 2002 01:16:22 -0000
> @@ -17,7 +17,7 @@
>  #endif
>  #if defined(KRB5)
>  #ifdef HEIMDAL
> -#include <krb.h>
> +#include <krb5.h>
>  #else
>  /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
>   * keytab */
> 
> DES
> -- 
> Dag-Erling Smorgrav - des at ofug.org


-- 
Jacques A. Vidrine <n at nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine at verio.net     .  nectar at FreeBSD.org  .          nectar at kth.se

More information about the openssh-unix-dev mailing list