1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-14 23:46:10 +00:00
freebsd-ports/security/krb5-appl/files/patch-ba
Jacques Vidrine f91c2d7892 Fix for abort in login.krb5 (segment violation when trying to get a
TGT).

Obtained from:		MIT Kerberos GNATS PR krb5-appl/762, 763
1999-10-13 18:43:59 +00:00

101 lines
3.1 KiB
Plaintext

--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
+++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
@@ -518,6 +518,7 @@
if (!getenv(KRB5_ENV_CCNAME)) {
sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
setenv(KRB5_ENV_CCNAME, ccfile, 1);
+ krb5_cc_set_default_name(kcontext, ccfile);
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
@@ -1303,19 +1304,6 @@
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
}
- /* Policy: If local password is good, user is good.
- We really can't trust the Kerberos password,
- because somebody on the net could spoof the
- Kerberos server (not easy, but possible).
- Some sites might want to use it anyways, in
- which case they should change this line
- to:
- if (kpass_ok)
- */
-
- if (lpass_ok)
- break;
-
if (got_v5_tickets) {
if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
NULL, &xtra_creds,
@@ -1338,6 +1326,9 @@
}
#endif /* KRB4_GET_TICKETS */
+ if (lpass_ok)
+ break;
+
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
@@ -1634,19 +1625,28 @@
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
- if (retval = krb5_cc_default(kcontext, &ccache)) {
+ retval = krb5_cc_default(kcontext, &ccache);
+ if (retval)
com_err(argv[0], retval, "while getting default ccache");
- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
- com_err(argv[0], retval, "when initializing cache");
- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
- com_err(argv[0], retval, "while storing credentials");
- } else if (xtra_creds &&
- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
- ccache))) {
- com_err(argv[0], retval, "while storing credentials");
+ else {
+ retval = krb5_cc_initialize(kcontext, ccache, me);
+ if (retval)
+ com_err(argv[0], retval, "when initializing cache");
+ else {
+ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
+ if (retval)
+ com_err(argv[0], retval, "while storing credentials");
+ else {
+ if (xtra_creds) {
+ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+ ccache);
+ if (retval)
+ com_err(argv[0], retval, "while storing credentials");
+ krb5_cc_destroy(kcontext, xtra_creds);
+ }
+ }
+ }
}
-
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
@@ -1727,6 +1727,7 @@
if (ccname)
setenv("KRB5CCNAME", ccname, 1);
+ krb5_cc_set_default_name(kcontext, ccname);
setenv("HOME", pwd->pw_dir, 1);
setenv("PATH", LPATH, 1);
@@ -1748,8 +1749,10 @@
#ifdef KRB5_GET_TICKETS
/* ccfile[0] is only set if we got tickets above */
- if (login_krb5_get_tickets && ccfile[0])
+ if (login_krb5_get_tickets && ccfile[0]) {
(void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
+ krb5_cc_set_default_name(kcontext, ccfile);
+ }
#endif /* KRB5_GET_TICKETS */
if (tty[sizeof("tty")-1] == 'd')