Help request: merging OpenBSD Kerberos change into Portable.

Darren Tucker dtucker at zip.com.au
Fri Aug 8 20:09:33 EST 2003 

sxw at inf.ed.ac.uk wrote:
> On Fri, 8 Aug 2003, Darren Tucker wrote:
[krb5 merge]
> There aren't any changes necessary in the non-Heimdal path. The change
> moves the Heimdal code from using a memory based ccache to store user
> credentials, to using a file based one. The non-Heimdal code has
> always used a file based ccache.

Thanks!  I've merged the changes into the portable tree and compiled it
--with-kerberos5, which compiled OK.  I've double-checked it against the
OpenBSD diff and I think its OK, but please let me know if I've missed
anything.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth-krb5.c
===================================================================
RCS file: /var/cvs/openssh/auth-krb5.c,v
retrieving revision 1.13
diff -u -p -r1.13 auth-krb5.c
--- auth-krb5.c	14 May 2003 04:31:11 -0000	1.13
+++ auth-krb5.c	8 Aug 2003 09:44:16 -0000
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -265,6 +265,7 @@ auth_krb5_password(Authctxt *authctxt, c
 	int tmpfd;
 #endif	
 	krb5_error_code problem;
+	krb5_ccache ccache = NULL;
 
 	if (authctxt->pw == NULL)
 		return (0);
@@ -281,23 +282,35 @@ auth_krb5_password(Authctxt *authctxt, c
 		goto out;
 
 #ifdef HEIMDAL
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
-	    &authctxt->krb5_fwd_ccache);
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_initialize(authctxt->krb5_ctx,
-	    authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
+		authctxt->krb5_user);
 	if (problem)
 		goto out;
 
 	restore_uid();
+	
 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-	    authctxt->krb5_fwd_ccache, password, 1, NULL);
+	    ccache, password, 1, NULL);
+	
 	temporarily_use_uid(authctxt->pw);
 
 	if (problem)
 		goto out;
+	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+	    &authctxt->krb5_fwd_ccache);
+	if (problem)
+		goto out;
+
+	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+	    authctxt->krb5_fwd_ccache);
+	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+	ccache = NULL;
+	if (problem)
+		goto out;
 
 #else
 	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -361,6 +374,9 @@ auth_krb5_password(Authctxt *authctxt, c
 	restore_uid();
 
 	if (problem) {
+		if (ccache)
+			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+
 		if (authctxt->krb5_ctx != NULL && problem!=-1)
 			debug("Kerberos password authentication failed: %s",
 			    krb5_get_err_text(authctxt->krb5_ctx, problem));

More information about the openssh-unix-dev mailing list