Is there a fix available for CAN-2003-0190

Darren Tucker dtucker at
Thu Dec 23 08:57:09 EST 2004

Sergio Gelato wrote:
> I see that the rest of that function has an "if (problem) goto out;" after
> every krb5 library call. Doesn't that also introduce measurable time
> differences? Interesting.

Possibly, but if the latter calls can't be safely done if the earlier 
ones fail then there may be no way to solve that.

> Maybe one should fill in a dummy, valid authctxt in such cases, and 
> make a note to fail the authentication at the end of the process.

That's what authctxt->valid is.  The dummy information is populated by 

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list