Help request: merging OpenBSD Kerberos change into Portable.

Fri Aug 8 13:53:04 EST 2003

Hi All.
        I'm looking for some help to merge an outstanding Kerberos
credential cache change from OpenBSD into Portable.  I don't know enough
about Kerberos to figure out how that change should be applied for the
non-Heimdal(?) code path.

	The outstanding diff is attached.

        Any volunteers?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
revision 1.11
date: 2003/07/16 15:02:06;  author: markus;  state: Exp;  lines: +23 -6
mcc -> fcc; from Love H?rnquist ?strand <lha at it.su.se>
otherwise the kerberos credentinal is stored in a memory cache
in the privileged sshd. ok jabob@, hin@ (some time ago)
=============================================================================

Index: auth-krb5.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth-krb5.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -u -r1.10 -r1.11

--- auth-krb5.c	2002/11/21 23:03:51	1.10
+++ auth-krb5.c	2003/07/16 15:02:06	1.11
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -208,6 +208,7 @@ int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
 	krb5_error_code problem;
+	krb5_ccache ccache = NULL;
 
 	if (authctxt->pw == NULL)
 		return (0);
@@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
-	    &authctxt->krb5_fwd_ccache);
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_initialize(authctxt->krb5_ctx,
-	    authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, 
+		authctxt->krb5_user);
 	if (problem)
 		goto out;
 
 	restore_uid();
+
 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-	    authctxt->krb5_fwd_ccache, password, 1, NULL);
+	    ccache, password, 1, NULL);
+
 	temporarily_use_uid(authctxt->pw);
 
 	if (problem)
 		goto out;
 
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, 
+	    &authctxt->krb5_fwd_ccache);
+	if (problem)
+		goto out;
+
+	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+	    authctxt->krb5_fwd_ccache);
+	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+	ccache = NULL;
+	if (problem)
+		goto out;
+
 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 
  out:
 	restore_uid();
 
 	if (problem) {
+		if (ccache)
+			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
 		if (authctxt->krb5_ctx != NULL)
 			debug("Kerberos password authentication failed: %s",
 			    krb5_get_err_text(authctxt->krb5_ctx, problem));
