diff options
-rw-r--r-- | security/krb5-16/files/patch-ba | 100 | ||||
-rw-r--r-- | security/krb5-17/files/patch-ba | 100 | ||||
-rw-r--r-- | security/krb5-appl/files/patch-ba | 100 | ||||
-rw-r--r-- | security/krb5/files/patch-ba | 100 |
4 files changed, 400 insertions, 0 deletions
diff --git a/security/krb5-16/files/patch-ba b/security/krb5-16/files/patch-ba new file mode 100644 index 000000000000..f346d9b8e80e --- /dev/null +++ b/security/krb5-16/files/patch-ba @@ -0,0 +1,100 @@ +--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 ++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 +@@ -518,6 +518,7 @@ + if (!getenv(KRB5_ENV_CCNAME)) { + sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid()); + setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); + unlink(ccfile+strlen("FILE:")); + } else { + /* note it correctly */ +@@ -1303,19 +1304,6 @@ + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + } + +- /* Policy: If local password is good, user is good. +- We really can't trust the Kerberos password, +- because somebody on the net could spoof the +- Kerberos server (not easy, but possible). +- Some sites might want to use it anyways, in +- which case they should change this line +- to: +- if (kpass_ok) +- */ +- +- if (lpass_ok) +- break; +- + if (got_v5_tickets) { + if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, + NULL, &xtra_creds, +@@ -1338,6 +1326,9 @@ + } + #endif /* KRB4_GET_TICKETS */ + ++ if (lpass_ok) ++ break; ++ + bad_login: + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + +@@ -1634,19 +1625,28 @@ + /* set up credential cache -- obeying KRB5_ENV_CCNAME + set earlier */ + /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ +- if (retval = krb5_cc_default(kcontext, &ccache)) { ++ retval = krb5_cc_default(kcontext, &ccache); ++ if (retval) + com_err(argv[0], retval, "while getting default ccache"); +- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { +- com_err(argv[0], retval, "when initializing cache"); +- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { +- com_err(argv[0], retval, "while storing credentials"); +- } else if (xtra_creds && +- (retval = krb5_cc_copy_creds(kcontext, xtra_creds, +- ccache))) { +- com_err(argv[0], retval, "while storing credentials"); ++ else { ++ retval = krb5_cc_initialize(kcontext, ccache, me); ++ if (retval) ++ com_err(argv[0], retval, "when initializing cache"); ++ else { ++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ else { ++ if (xtra_creds) { ++ retval = krb5_cc_copy_creds(kcontext, xtra_creds, ++ ccache); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ krb5_cc_destroy(kcontext, xtra_creds); ++ } ++ } ++ } + } +- +- krb5_cc_destroy(kcontext, xtra_creds); + } else if (forwarded_v5_tickets && rewrite_ccache) { + if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { + syslog(LOG_ERR, +@@ -1727,6 +1727,7 @@ + + if (ccname) + setenv("KRB5CCNAME", ccname, 1); ++ krb5_cc_set_default_name(kcontext, ccname); + + setenv("HOME", pwd->pw_dir, 1); + setenv("PATH", LPATH, 1); +@@ -1748,8 +1749,10 @@ + + #ifdef KRB5_GET_TICKETS + /* ccfile[0] is only set if we got tickets above */ +- if (login_krb5_get_tickets && ccfile[0]) ++ if (login_krb5_get_tickets && ccfile[0]) { + (void) setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); ++ } + #endif /* KRB5_GET_TICKETS */ + + if (tty[sizeof("tty")-1] == 'd') diff --git a/security/krb5-17/files/patch-ba b/security/krb5-17/files/patch-ba new file mode 100644 index 000000000000..f346d9b8e80e --- /dev/null +++ b/security/krb5-17/files/patch-ba @@ -0,0 +1,100 @@ +--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 ++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 +@@ -518,6 +518,7 @@ + if (!getenv(KRB5_ENV_CCNAME)) { + sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid()); + setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); + unlink(ccfile+strlen("FILE:")); + } else { + /* note it correctly */ +@@ -1303,19 +1304,6 @@ + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + } + +- /* Policy: If local password is good, user is good. +- We really can't trust the Kerberos password, +- because somebody on the net could spoof the +- Kerberos server (not easy, but possible). +- Some sites might want to use it anyways, in +- which case they should change this line +- to: +- if (kpass_ok) +- */ +- +- if (lpass_ok) +- break; +- + if (got_v5_tickets) { + if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, + NULL, &xtra_creds, +@@ -1338,6 +1326,9 @@ + } + #endif /* KRB4_GET_TICKETS */ + ++ if (lpass_ok) ++ break; ++ + bad_login: + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + +@@ -1634,19 +1625,28 @@ + /* set up credential cache -- obeying KRB5_ENV_CCNAME + set earlier */ + /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ +- if (retval = krb5_cc_default(kcontext, &ccache)) { ++ retval = krb5_cc_default(kcontext, &ccache); ++ if (retval) + com_err(argv[0], retval, "while getting default ccache"); +- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { +- com_err(argv[0], retval, "when initializing cache"); +- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { +- com_err(argv[0], retval, "while storing credentials"); +- } else if (xtra_creds && +- (retval = krb5_cc_copy_creds(kcontext, xtra_creds, +- ccache))) { +- com_err(argv[0], retval, "while storing credentials"); ++ else { ++ retval = krb5_cc_initialize(kcontext, ccache, me); ++ if (retval) ++ com_err(argv[0], retval, "when initializing cache"); ++ else { ++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ else { ++ if (xtra_creds) { ++ retval = krb5_cc_copy_creds(kcontext, xtra_creds, ++ ccache); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ krb5_cc_destroy(kcontext, xtra_creds); ++ } ++ } ++ } + } +- +- krb5_cc_destroy(kcontext, xtra_creds); + } else if (forwarded_v5_tickets && rewrite_ccache) { + if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { + syslog(LOG_ERR, +@@ -1727,6 +1727,7 @@ + + if (ccname) + setenv("KRB5CCNAME", ccname, 1); ++ krb5_cc_set_default_name(kcontext, ccname); + + setenv("HOME", pwd->pw_dir, 1); + setenv("PATH", LPATH, 1); +@@ -1748,8 +1749,10 @@ + + #ifdef KRB5_GET_TICKETS + /* ccfile[0] is only set if we got tickets above */ +- if (login_krb5_get_tickets && ccfile[0]) ++ if (login_krb5_get_tickets && ccfile[0]) { + (void) setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); ++ } + #endif /* KRB5_GET_TICKETS */ + + if (tty[sizeof("tty")-1] == 'd') diff --git a/security/krb5-appl/files/patch-ba b/security/krb5-appl/files/patch-ba new file mode 100644 index 000000000000..f346d9b8e80e --- /dev/null +++ b/security/krb5-appl/files/patch-ba @@ -0,0 +1,100 @@ +--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 ++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 +@@ -518,6 +518,7 @@ + if (!getenv(KRB5_ENV_CCNAME)) { + sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid()); + setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); + unlink(ccfile+strlen("FILE:")); + } else { + /* note it correctly */ +@@ -1303,19 +1304,6 @@ + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + } + +- /* Policy: If local password is good, user is good. +- We really can't trust the Kerberos password, +- because somebody on the net could spoof the +- Kerberos server (not easy, but possible). +- Some sites might want to use it anyways, in +- which case they should change this line +- to: +- if (kpass_ok) +- */ +- +- if (lpass_ok) +- break; +- + if (got_v5_tickets) { + if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, + NULL, &xtra_creds, +@@ -1338,6 +1326,9 @@ + } + #endif /* KRB4_GET_TICKETS */ + ++ if (lpass_ok) ++ break; ++ + bad_login: + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + +@@ -1634,19 +1625,28 @@ + /* set up credential cache -- obeying KRB5_ENV_CCNAME + set earlier */ + /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ +- if (retval = krb5_cc_default(kcontext, &ccache)) { ++ retval = krb5_cc_default(kcontext, &ccache); ++ if (retval) + com_err(argv[0], retval, "while getting default ccache"); +- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { +- com_err(argv[0], retval, "when initializing cache"); +- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { +- com_err(argv[0], retval, "while storing credentials"); +- } else if (xtra_creds && +- (retval = krb5_cc_copy_creds(kcontext, xtra_creds, +- ccache))) { +- com_err(argv[0], retval, "while storing credentials"); ++ else { ++ retval = krb5_cc_initialize(kcontext, ccache, me); ++ if (retval) ++ com_err(argv[0], retval, "when initializing cache"); ++ else { ++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ else { ++ if (xtra_creds) { ++ retval = krb5_cc_copy_creds(kcontext, xtra_creds, ++ ccache); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ krb5_cc_destroy(kcontext, xtra_creds); ++ } ++ } ++ } + } +- +- krb5_cc_destroy(kcontext, xtra_creds); + } else if (forwarded_v5_tickets && rewrite_ccache) { + if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { + syslog(LOG_ERR, +@@ -1727,6 +1727,7 @@ + + if (ccname) + setenv("KRB5CCNAME", ccname, 1); ++ krb5_cc_set_default_name(kcontext, ccname); + + setenv("HOME", pwd->pw_dir, 1); + setenv("PATH", LPATH, 1); +@@ -1748,8 +1749,10 @@ + + #ifdef KRB5_GET_TICKETS + /* ccfile[0] is only set if we got tickets above */ +- if (login_krb5_get_tickets && ccfile[0]) ++ if (login_krb5_get_tickets && ccfile[0]) { + (void) setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); ++ } + #endif /* KRB5_GET_TICKETS */ + + if (tty[sizeof("tty")-1] == 'd') diff --git a/security/krb5/files/patch-ba b/security/krb5/files/patch-ba new file mode 100644 index 000000000000..f346d9b8e80e --- /dev/null +++ b/security/krb5/files/patch-ba @@ -0,0 +1,100 @@ +--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 ++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 +@@ -518,6 +518,7 @@ + if (!getenv(KRB5_ENV_CCNAME)) { + sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid()); + setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); + unlink(ccfile+strlen("FILE:")); + } else { + /* note it correctly */ +@@ -1303,19 +1304,6 @@ + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + } + +- /* Policy: If local password is good, user is good. +- We really can't trust the Kerberos password, +- because somebody on the net could spoof the +- Kerberos server (not easy, but possible). +- Some sites might want to use it anyways, in +- which case they should change this line +- to: +- if (kpass_ok) +- */ +- +- if (lpass_ok) +- break; +- + if (got_v5_tickets) { + if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, + NULL, &xtra_creds, +@@ -1338,6 +1326,9 @@ + } + #endif /* KRB4_GET_TICKETS */ + ++ if (lpass_ok) ++ break; ++ + bad_login: + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + +@@ -1634,19 +1625,28 @@ + /* set up credential cache -- obeying KRB5_ENV_CCNAME + set earlier */ + /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ +- if (retval = krb5_cc_default(kcontext, &ccache)) { ++ retval = krb5_cc_default(kcontext, &ccache); ++ if (retval) + com_err(argv[0], retval, "while getting default ccache"); +- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { +- com_err(argv[0], retval, "when initializing cache"); +- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { +- com_err(argv[0], retval, "while storing credentials"); +- } else if (xtra_creds && +- (retval = krb5_cc_copy_creds(kcontext, xtra_creds, +- ccache))) { +- com_err(argv[0], retval, "while storing credentials"); ++ else { ++ retval = krb5_cc_initialize(kcontext, ccache, me); ++ if (retval) ++ com_err(argv[0], retval, "when initializing cache"); ++ else { ++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ else { ++ if (xtra_creds) { ++ retval = krb5_cc_copy_creds(kcontext, xtra_creds, ++ ccache); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ krb5_cc_destroy(kcontext, xtra_creds); ++ } ++ } ++ } + } +- +- krb5_cc_destroy(kcontext, xtra_creds); + } else if (forwarded_v5_tickets && rewrite_ccache) { + if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { + syslog(LOG_ERR, +@@ -1727,6 +1727,7 @@ + + if (ccname) + setenv("KRB5CCNAME", ccname, 1); ++ krb5_cc_set_default_name(kcontext, ccname); + + setenv("HOME", pwd->pw_dir, 1); + setenv("PATH", LPATH, 1); +@@ -1748,8 +1749,10 @@ + + #ifdef KRB5_GET_TICKETS + /* ccfile[0] is only set if we got tickets above */ +- if (login_krb5_get_tickets && ccfile[0]) ++ if (login_krb5_get_tickets && ccfile[0]) { + (void) setenv(KRB5_ENV_CCNAME, ccfile, 1); ++ krb5_cc_set_default_name(kcontext, ccfile); ++ } + #endif /* KRB5_GET_TICKETS */ + + if (tty[sizeof("tty")-1] == 'd') |