patch for krb4 authentization in openssh-3.5p1 on RH 8.0

Adam Mikulič mikulic at natur.cuni.cz
Fri Feb 14 22:42:41 EST 2003


Dear developers,

recently I tried to compile kerberos4 authentization support in
openssh-3.5p1 on Redhat 8.0, unfortunately autentization against
kerberos server in a kerberos4 realm doesn't work well, probably due to
the bug in auth-krb4.c. My colleague David Komanek wrote patch to this
file solving the problem, so credits goes to him. I'm sending this here,
believing that it can help somebody else.

PROBLEM DESCRIPTION:
SSH Daemon isn't able to authenticate user against kerberos4 server,
although he accepts already authenticated ssh client user with a valid
ticket (already authenticated client via 'kinit' command, supported only
using ssh client with ssh protocol version 1).
 Daemon logs:  "WARNING: bad ticket file /tmp/tkt500_22696" and
"Couldn't initialize Kerberos ticket file for user!" - and goes to the
next authentication method (local password).

SOLUTION
Problem lies in using the function mkstemp() in auth-krb4.c. We didn't
test this on other linux distributions, but most probably changing some
of libc library in Redhat 8.0 results in mkstemp() returning error.

PATCH 

*** ../openssh-3.5p1/auth-krb4.c   2002-09-27 05:26:00.000000000 +0200
--- auth-krb4.c 2003-02-12 14:52:43.000000000 +0100
***************
*** 58,63 ****
                        tkt_root = "/ticket/";
  #endif /* AFS */
!               snprintf(authctxt->krb4_ticket_file, MAXPATHLEN,
"%s%u_%ld",
                    tkt_root, authctxt->pw->pw_uid, (long)getpid());
                krb_set_tkt_string(authctxt->krb4_ticket_file);
        }
--- 58,66 ----
                        tkt_root = "/ticket/";
  #endif /* AFS */
!                 char docasny[MAXPATHLEN + 1];
!               snprintf(docasny, MAXPATHLEN, "%s%u_%ld_XXXXXX",
                    tkt_root, authctxt->pw->pw_uid, (long)getpid());
+               snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s",
mktemp(docasny));
+               memset(docasny, '\0', MAXPATHLEN);
                krb_set_tkt_string(authctxt->krb4_ticket_file);
        }
***************
*** 68,72 ****
        }
        /* Try to create our ticket file. */
!       if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
                close(fd);
                return (1);
--- 71,75 ----
        }
        /* Try to create our ticket file. */
!       if ((fd = open(authctxt->krb4_ticket_file, O_RDWR | O_EXCL |
O_CREAT)) >= 0) {
                close(fd);
                return (1);



Adam Mikulic
Faculty of Science, Charles University Prague




More information about the openssh-unix-dev mailing list