aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/krb5-16/files/patch-ba100
-rw-r--r--security/krb5-17/files/patch-ba100
-rw-r--r--security/krb5-appl/files/patch-ba100
-rw-r--r--security/krb5/files/patch-ba100
4 files changed, 400 insertions, 0 deletions
diff --git a/security/krb5-16/files/patch-ba b/security/krb5-16/files/patch-ba
new file mode 100644
index 000000000000..f346d9b8e80e
--- /dev/null
+++ b/security/krb5-16/files/patch-ba
@@ -0,0 +1,100 @@
+--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
+@@ -518,6 +518,7 @@
+ if (!getenv(KRB5_ENV_CCNAME)) {
+ sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
+ setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
+ unlink(ccfile+strlen("FILE:"));
+ } else {
+ /* note it correctly */
+@@ -1303,19 +1304,6 @@
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ }
+
+- /* Policy: If local password is good, user is good.
+- We really can't trust the Kerberos password,
+- because somebody on the net could spoof the
+- Kerberos server (not easy, but possible).
+- Some sites might want to use it anyways, in
+- which case they should change this line
+- to:
+- if (kpass_ok)
+- */
+-
+- if (lpass_ok)
+- break;
+-
+ if (got_v5_tickets) {
+ if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
+ NULL, &xtra_creds,
+@@ -1338,6 +1326,9 @@
+ }
+ #endif /* KRB4_GET_TICKETS */
+
++ if (lpass_ok)
++ break;
++
+ bad_login:
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+
+@@ -1634,19 +1625,28 @@
+ /* set up credential cache -- obeying KRB5_ENV_CCNAME
+ set earlier */
+ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
+- if (retval = krb5_cc_default(kcontext, &ccache)) {
++ retval = krb5_cc_default(kcontext, &ccache);
++ if (retval)
+ com_err(argv[0], retval, "while getting default ccache");
+- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
+- com_err(argv[0], retval, "when initializing cache");
+- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
+- com_err(argv[0], retval, "while storing credentials");
+- } else if (xtra_creds &&
+- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+- ccache))) {
+- com_err(argv[0], retval, "while storing credentials");
++ else {
++ retval = krb5_cc_initialize(kcontext, ccache, me);
++ if (retval)
++ com_err(argv[0], retval, "when initializing cache");
++ else {
++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ else {
++ if (xtra_creds) {
++ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
++ ccache);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ krb5_cc_destroy(kcontext, xtra_creds);
++ }
++ }
++ }
+ }
+-
+- krb5_cc_destroy(kcontext, xtra_creds);
+ } else if (forwarded_v5_tickets && rewrite_ccache) {
+ if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
+ syslog(LOG_ERR,
+@@ -1727,6 +1727,7 @@
+
+ if (ccname)
+ setenv("KRB5CCNAME", ccname, 1);
++ krb5_cc_set_default_name(kcontext, ccname);
+
+ setenv("HOME", pwd->pw_dir, 1);
+ setenv("PATH", LPATH, 1);
+@@ -1748,8 +1749,10 @@
+
+ #ifdef KRB5_GET_TICKETS
+ /* ccfile[0] is only set if we got tickets above */
+- if (login_krb5_get_tickets && ccfile[0])
++ if (login_krb5_get_tickets && ccfile[0]) {
+ (void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
++ }
+ #endif /* KRB5_GET_TICKETS */
+
+ if (tty[sizeof("tty")-1] == 'd')
diff --git a/security/krb5-17/files/patch-ba b/security/krb5-17/files/patch-ba
new file mode 100644
index 000000000000..f346d9b8e80e
--- /dev/null
+++ b/security/krb5-17/files/patch-ba
@@ -0,0 +1,100 @@
+--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
+@@ -518,6 +518,7 @@
+ if (!getenv(KRB5_ENV_CCNAME)) {
+ sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
+ setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
+ unlink(ccfile+strlen("FILE:"));
+ } else {
+ /* note it correctly */
+@@ -1303,19 +1304,6 @@
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ }
+
+- /* Policy: If local password is good, user is good.
+- We really can't trust the Kerberos password,
+- because somebody on the net could spoof the
+- Kerberos server (not easy, but possible).
+- Some sites might want to use it anyways, in
+- which case they should change this line
+- to:
+- if (kpass_ok)
+- */
+-
+- if (lpass_ok)
+- break;
+-
+ if (got_v5_tickets) {
+ if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
+ NULL, &xtra_creds,
+@@ -1338,6 +1326,9 @@
+ }
+ #endif /* KRB4_GET_TICKETS */
+
++ if (lpass_ok)
++ break;
++
+ bad_login:
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+
+@@ -1634,19 +1625,28 @@
+ /* set up credential cache -- obeying KRB5_ENV_CCNAME
+ set earlier */
+ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
+- if (retval = krb5_cc_default(kcontext, &ccache)) {
++ retval = krb5_cc_default(kcontext, &ccache);
++ if (retval)
+ com_err(argv[0], retval, "while getting default ccache");
+- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
+- com_err(argv[0], retval, "when initializing cache");
+- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
+- com_err(argv[0], retval, "while storing credentials");
+- } else if (xtra_creds &&
+- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+- ccache))) {
+- com_err(argv[0], retval, "while storing credentials");
++ else {
++ retval = krb5_cc_initialize(kcontext, ccache, me);
++ if (retval)
++ com_err(argv[0], retval, "when initializing cache");
++ else {
++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ else {
++ if (xtra_creds) {
++ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
++ ccache);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ krb5_cc_destroy(kcontext, xtra_creds);
++ }
++ }
++ }
+ }
+-
+- krb5_cc_destroy(kcontext, xtra_creds);
+ } else if (forwarded_v5_tickets && rewrite_ccache) {
+ if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
+ syslog(LOG_ERR,
+@@ -1727,6 +1727,7 @@
+
+ if (ccname)
+ setenv("KRB5CCNAME", ccname, 1);
++ krb5_cc_set_default_name(kcontext, ccname);
+
+ setenv("HOME", pwd->pw_dir, 1);
+ setenv("PATH", LPATH, 1);
+@@ -1748,8 +1749,10 @@
+
+ #ifdef KRB5_GET_TICKETS
+ /* ccfile[0] is only set if we got tickets above */
+- if (login_krb5_get_tickets && ccfile[0])
++ if (login_krb5_get_tickets && ccfile[0]) {
+ (void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
++ }
+ #endif /* KRB5_GET_TICKETS */
+
+ if (tty[sizeof("tty")-1] == 'd')
diff --git a/security/krb5-appl/files/patch-ba b/security/krb5-appl/files/patch-ba
new file mode 100644
index 000000000000..f346d9b8e80e
--- /dev/null
+++ b/security/krb5-appl/files/patch-ba
@@ -0,0 +1,100 @@
+--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
+@@ -518,6 +518,7 @@
+ if (!getenv(KRB5_ENV_CCNAME)) {
+ sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
+ setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
+ unlink(ccfile+strlen("FILE:"));
+ } else {
+ /* note it correctly */
+@@ -1303,19 +1304,6 @@
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ }
+
+- /* Policy: If local password is good, user is good.
+- We really can't trust the Kerberos password,
+- because somebody on the net could spoof the
+- Kerberos server (not easy, but possible).
+- Some sites might want to use it anyways, in
+- which case they should change this line
+- to:
+- if (kpass_ok)
+- */
+-
+- if (lpass_ok)
+- break;
+-
+ if (got_v5_tickets) {
+ if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
+ NULL, &xtra_creds,
+@@ -1338,6 +1326,9 @@
+ }
+ #endif /* KRB4_GET_TICKETS */
+
++ if (lpass_ok)
++ break;
++
+ bad_login:
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+
+@@ -1634,19 +1625,28 @@
+ /* set up credential cache -- obeying KRB5_ENV_CCNAME
+ set earlier */
+ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
+- if (retval = krb5_cc_default(kcontext, &ccache)) {
++ retval = krb5_cc_default(kcontext, &ccache);
++ if (retval)
+ com_err(argv[0], retval, "while getting default ccache");
+- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
+- com_err(argv[0], retval, "when initializing cache");
+- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
+- com_err(argv[0], retval, "while storing credentials");
+- } else if (xtra_creds &&
+- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+- ccache))) {
+- com_err(argv[0], retval, "while storing credentials");
++ else {
++ retval = krb5_cc_initialize(kcontext, ccache, me);
++ if (retval)
++ com_err(argv[0], retval, "when initializing cache");
++ else {
++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ else {
++ if (xtra_creds) {
++ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
++ ccache);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ krb5_cc_destroy(kcontext, xtra_creds);
++ }
++ }
++ }
+ }
+-
+- krb5_cc_destroy(kcontext, xtra_creds);
+ } else if (forwarded_v5_tickets && rewrite_ccache) {
+ if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
+ syslog(LOG_ERR,
+@@ -1727,6 +1727,7 @@
+
+ if (ccname)
+ setenv("KRB5CCNAME", ccname, 1);
++ krb5_cc_set_default_name(kcontext, ccname);
+
+ setenv("HOME", pwd->pw_dir, 1);
+ setenv("PATH", LPATH, 1);
+@@ -1748,8 +1749,10 @@
+
+ #ifdef KRB5_GET_TICKETS
+ /* ccfile[0] is only set if we got tickets above */
+- if (login_krb5_get_tickets && ccfile[0])
++ if (login_krb5_get_tickets && ccfile[0]) {
+ (void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
++ }
+ #endif /* KRB5_GET_TICKETS */
+
+ if (tty[sizeof("tty")-1] == 'd')
diff --git a/security/krb5/files/patch-ba b/security/krb5/files/patch-ba
new file mode 100644
index 000000000000..f346d9b8e80e
--- /dev/null
+++ b/security/krb5/files/patch-ba
@@ -0,0 +1,100 @@
+--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
+@@ -518,6 +518,7 @@
+ if (!getenv(KRB5_ENV_CCNAME)) {
+ sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
+ setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
+ unlink(ccfile+strlen("FILE:"));
+ } else {
+ /* note it correctly */
+@@ -1303,19 +1304,6 @@
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ }
+
+- /* Policy: If local password is good, user is good.
+- We really can't trust the Kerberos password,
+- because somebody on the net could spoof the
+- Kerberos server (not easy, but possible).
+- Some sites might want to use it anyways, in
+- which case they should change this line
+- to:
+- if (kpass_ok)
+- */
+-
+- if (lpass_ok)
+- break;
+-
+ if (got_v5_tickets) {
+ if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
+ NULL, &xtra_creds,
+@@ -1338,6 +1326,9 @@
+ }
+ #endif /* KRB4_GET_TICKETS */
+
++ if (lpass_ok)
++ break;
++
+ bad_login:
+ setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+
+@@ -1634,19 +1625,28 @@
+ /* set up credential cache -- obeying KRB5_ENV_CCNAME
+ set earlier */
+ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
+- if (retval = krb5_cc_default(kcontext, &ccache)) {
++ retval = krb5_cc_default(kcontext, &ccache);
++ if (retval)
+ com_err(argv[0], retval, "while getting default ccache");
+- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
+- com_err(argv[0], retval, "when initializing cache");
+- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
+- com_err(argv[0], retval, "while storing credentials");
+- } else if (xtra_creds &&
+- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+- ccache))) {
+- com_err(argv[0], retval, "while storing credentials");
++ else {
++ retval = krb5_cc_initialize(kcontext, ccache, me);
++ if (retval)
++ com_err(argv[0], retval, "when initializing cache");
++ else {
++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ else {
++ if (xtra_creds) {
++ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
++ ccache);
++ if (retval)
++ com_err(argv[0], retval, "while storing credentials");
++ krb5_cc_destroy(kcontext, xtra_creds);
++ }
++ }
++ }
+ }
+-
+- krb5_cc_destroy(kcontext, xtra_creds);
+ } else if (forwarded_v5_tickets && rewrite_ccache) {
+ if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
+ syslog(LOG_ERR,
+@@ -1727,6 +1727,7 @@
+
+ if (ccname)
+ setenv("KRB5CCNAME", ccname, 1);
++ krb5_cc_set_default_name(kcontext, ccname);
+
+ setenv("HOME", pwd->pw_dir, 1);
+ setenv("PATH", LPATH, 1);
+@@ -1748,8 +1749,10 @@
+
+ #ifdef KRB5_GET_TICKETS
+ /* ccfile[0] is only set if we got tickets above */
+- if (login_krb5_get_tickets && ccfile[0])
++ if (login_krb5_get_tickets && ccfile[0]) {
+ (void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
++ krb5_cc_set_default_name(kcontext, ccfile);
++ }
+ #endif /* KRB5_GET_TICKETS */
+
+ if (tty[sizeof("tty")-1] == 'd')