--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 +++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 @@ -518,6 +518,7 @@ if (!getenv(KRB5_ENV_CCNAME)) { sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid()); setenv(KRB5_ENV_CCNAME, ccfile, 1); + krb5_cc_set_default_name(kcontext, ccfile); unlink(ccfile+strlen("FILE:")); } else { /* note it correctly */ @@ -1303,19 +1304,6 @@ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); } - /* Policy: If local password is good, user is good. - We really can't trust the Kerberos password, - because somebody on the net could spoof the - Kerberos server (not easy, but possible). - Some sites might want to use it anyways, in - which case they should change this line - to: - if (kpass_ok) - */ - - if (lpass_ok) - break; - if (got_v5_tickets) { if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, NULL, &xtra_creds, @@ -1338,6 +1326,9 @@ } #endif /* KRB4_GET_TICKETS */ + if (lpass_ok) + break; + bad_login: setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); @@ -1634,19 +1625,28 @@ /* set up credential cache -- obeying KRB5_ENV_CCNAME set earlier */ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ - if (retval = krb5_cc_default(kcontext, &ccache)) { + retval = krb5_cc_default(kcontext, &ccache); + if (retval) com_err(argv[0], retval, "while getting default ccache"); - } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { - com_err(argv[0], retval, "when initializing cache"); - } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { - com_err(argv[0], retval, "while storing credentials"); - } else if (xtra_creds && - (retval = krb5_cc_copy_creds(kcontext, xtra_creds, - ccache))) { - com_err(argv[0], retval, "while storing credentials"); + else { + retval = krb5_cc_initialize(kcontext, ccache, me); + if (retval) + com_err(argv[0], retval, "when initializing cache"); + else { + retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); + if (retval) + com_err(argv[0], retval, "while storing credentials"); + else { + if (xtra_creds) { + retval = krb5_cc_copy_creds(kcontext, xtra_creds, + ccache); + if (retval) + com_err(argv[0], retval, "while storing credentials"); + krb5_cc_destroy(kcontext, xtra_creds); + } + } + } } - - krb5_cc_destroy(kcontext, xtra_creds); } else if (forwarded_v5_tickets && rewrite_ccache) { if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { syslog(LOG_ERR, @@ -1727,6 +1727,7 @@ if (ccname) setenv("KRB5CCNAME", ccname, 1); + krb5_cc_set_default_name(kcontext, ccname); setenv("HOME", pwd->pw_dir, 1); setenv("PATH", LPATH, 1); @@ -1748,8 +1749,10 @@ #ifdef KRB5_GET_TICKETS /* ccfile[0] is only set if we got tickets above */ - if (login_krb5_get_tickets && ccfile[0]) + if (login_krb5_get_tickets && ccfile[0]) { (void) setenv(KRB5_ENV_CCNAME, ccfile, 1); + krb5_cc_set_default_name(kcontext, ccfile); + } #endif /* KRB5_GET_TICKETS */ if (tty[sizeof("tty")-1] == 'd')