security/krb5-appl/files/patch-ba


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

--- appl/bsd/login.c.ORIG	Wed Oct 13 12:55:47 1999
+++ appl/bsd/login.c	Wed Oct 13 12:56:29 1999
@@ -518,6 +518,7 @@
     if (!getenv(KRB5_ENV_CCNAME)) {
 	sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
 	setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
 	unlink(ccfile+strlen("FILE:"));
     } else {
 	/* note it correctly */
@@ -1303,19 +1304,6 @@
 		setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
 	    }
 
-	    /* Policy: If local password is good, user is good.
-	       We really can't trust the Kerberos password,
-	       because somebody on the net could spoof the
-	       Kerberos server (not easy, but possible).
-	       Some sites might want to use it anyways, in
-	       which case they should change this line
-	       to:
-	       if (kpass_ok)
-	    */
-
-	    if (lpass_ok)
-		break;
-
 	    if (got_v5_tickets) {
 		if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
 						    NULL, &xtra_creds,
@@ -1338,6 +1326,9 @@
 	    }
 #endif /* KRB4_GET_TICKETS */
 
+	    if (lpass_ok)
+		break;
+
 	bad_login:
 	    setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
 
@@ -1634,19 +1625,28 @@
 	/* set up credential cache -- obeying KRB5_ENV_CCNAME 
 	   set earlier */
 	/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
-	if (retval = krb5_cc_default(kcontext, &ccache)) {
+	retval = krb5_cc_default(kcontext, &ccache);
+	if (retval)
 	    com_err(argv[0], retval, "while getting default ccache");
-	} else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
-	    com_err(argv[0], retval, "when initializing cache");
-	} else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
-	    com_err(argv[0], retval, "while storing credentials");
-	} else if (xtra_creds &&
-		   (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
-						ccache))) {
-	    com_err(argv[0], retval, "while storing credentials");
+	else {
+	    retval = krb5_cc_initialize(kcontext, ccache, me);
+	    if (retval)
+		com_err(argv[0], retval, "when initializing cache");
+	    else {
+		retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
+		if (retval)
+		    com_err(argv[0], retval, "while storing credentials");
+		else  {
+		    if (xtra_creds) {
+			retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+						ccache);
+			if (retval)
+			    com_err(argv[0], retval, "while storing credentials");
+			krb5_cc_destroy(kcontext, xtra_creds);
+		    }
+		}
+	    }
 	}
-
-	krb5_cc_destroy(kcontext, xtra_creds);
     } else if (forwarded_v5_tickets && rewrite_ccache) {
 	if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
 	    syslog(LOG_ERR,
@@ -1727,6 +1727,7 @@
 
     if (ccname)
 	setenv("KRB5CCNAME", ccname, 1);
+    krb5_cc_set_default_name(kcontext, ccname);
 
     setenv("HOME", pwd->pw_dir, 1);
     setenv("PATH", LPATH, 1);
@@ -1748,8 +1749,10 @@
 
 #ifdef KRB5_GET_TICKETS
     /* ccfile[0] is only set if we got tickets above */
-    if (login_krb5_get_tickets && ccfile[0])
+    if (login_krb5_get_tickets && ccfile[0]) {
 	(void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
+    }
 #endif /* KRB5_GET_TICKETS */
 
     if (tty[sizeof("tty")-1] == 'd')