diff options
| author |   djm <djm@openbsd.org> | 2005-08-30 22:08:05 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2005-08-30 22:08:05 +0000 |
| commit | fd10e266c31aebeee90dc79e7c7e55d5083693ef (patch) | |
| tree | cf666c7700e946588d1fde5bc34ab744a83eef6e /usr.bin/ssh/gss-serv.c | |
| parent | remove -W from synopsis; ok deraadt@ jmc@ (diff) | |
| download | wireguard-openbsd-fd10e266c31aebeee90dc79e7c7e55d5083693ef.tar.xz wireguard-openbsd-fd10e266c31aebeee90dc79e7c7e55d5083693ef.zip | |
destroy credentials if krb5_kuserok() call fails. Stops credentials being
delegated to users who are not authorised for GSSAPIAuthentication when
GSSAPIDeletegateCredentials=yes and another authentication mechanism succeeds;
bz#1073 reported by paul.moore AT centrify.com, fix by simon AT sxw.org.uk,
tested todd@ biorn@ jakob@; ok deraadt@
Diffstat (limited to 'usr.bin/ssh/gss-serv.c')
| -rw-r--r-- | usr.bin/ssh/gss-serv.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c index e191eb5a037..11713045919 100644 --- a/usr.bin/ssh/gss-serv.c +++ b/usr.bin/ssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) int ssh_gssapi_userok(char *user) { + OM_uint32 lmin; + if (gssapi_client.exportedname.length == 0 || gssapi_client.exportedname.value == NULL) { debug("No suitable client data"); return 0; } if (gssapi_client.mech && gssapi_client.mech->userok) - return ((*gssapi_client.mech->userok)(&gssapi_client, user)); + if ((*gssapi_client.mech->userok)(&gssapi_client, user)) + return 1; + else { + /* Destroy delegated credentials if userok fails */ + gss_release_buffer(&lmin, &gssapi_client.displayname); + gss_release_buffer(&lmin, &gssapi_client.exportedname); + gss_release_cred(&lmin, &gssapi_client.creds); + memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); + return 0; + } else debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); return (0); |