summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2005-11-22 19:42:42 +1100
committerDarren Tucker <dtucker@zip.com.au>2005-11-22 19:42:42 +1100
commitf4732f647572f40d93f4fbd1e65d744ed10b2620 (patch)
treee26808c082fcbca769626081462a9e8f764f4d22
parente8400da9d53700872c9dea6b9d52af98c59022b9 (diff)
downloadopenssh-git-f4732f647572f40d93f4fbd1e65d744ed10b2620.tar.gz
- dtucker@cvs.openbsd.org 2005/11/21 09:42:10
[auth-krb5.c] Perform Kerberos calls even for invalid users to prevent leaking information about account validity. bz #975, patch originally from Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, ok markus@
-rw-r--r--ChangeLog8
-rw-r--r--auth-krb5.c7
2 files changed, 9 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index bfd18702..6077bb5a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,12 @@
will pull it in. At the moment it gets pulled in by sys/select.h
(which ssh has no business including) via event.h. OK markus@
(ID sync only in -portable)
+ - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
+ [auth-krb5.c]
+ Perform Kerberos calls even for invalid users to prevent leaking
+ information about account validity. bz #975, patch originally from
+ Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
+ ok markus@
20051120
- (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
@@ -3321,4 +3327,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3999 2005/11/22 08:41:33 dtucker Exp $
+$Id: ChangeLog,v 1.4000 2005/11/22 08:42:42 dtucker Exp $
diff --git a/auth-krb5.c b/auth-krb5.c
index a84e5401..64d61354 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
krb5_ccache ccache = NULL;
int len;
- if (!authctxt->valid)
- return (0);
-
temporarily_use_uid(authctxt->pw);
problem = krb5_init(authctxt);
@@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
else
return (0);
}
- return (1);
+ return (authctxt->valid ? 1 : 0);
}
void