From f4732f647572f40d93f4fbd1e65d744ed10b2620 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Tue, 22 Nov 2005 19:42:42 +1100
Subject:    - dtucker@cvs.openbsd.org 2005/11/21 09:42:10      [auth-krb5.c]  
    Perform Kerberos calls even for invalid users to prevent leaking     
 information about account validity.  bz #975, patch originally from     
 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,    
  ok markus@

---
 auth-krb5.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'auth-krb5.c')

diff --git a/auth-krb5.c b/auth-krb5.c
index a84e5401..64d61354 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	krb5_ccache ccache = NULL;
 	int len;
 
-	if (!authctxt->valid)
-		return (0);
-
 	temporarily_use_uid(authctxt->pw);
 
 	problem = krb5_init(authctxt);
@@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		else
 			return (0);
 	}
-	return (1);
+	return (authctxt->valid ? 1 : 0);
 }
 
 void
-- 
cgit v1.2.1