commit da9984fc3aafc194485556ae2c7dc6c52cbd56c2
author Damien Miller <djm@mindrot.org> Wed Aug 31 19:46:26 2005 +1000
committer Damien Miller <djm@mindrot.org> Wed Aug 31 19:46:26 2005 +1000
tree f34f637005409c5d30b393dffe519bf7216d7f6f
parent ca9ce95bdda599dbfa566385e66732327f27dd30

 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2005/08/30 22:08:05
     [gss-serv.c sshconnect2.c]
     destroy credentials if krb5_kuserok() call fails. Stops credentials being
     delegated to users who are not authorised for GSSAPIAuthentication when
     GSSAPIDeletegateCredentials=yes and another authentication mechanism
     succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
     simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@

gss-serv.c

diff --git a/gss-serv.c b/gss-serv.c
index e191eb5..1171304 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $	*/
+/*	$OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $	*/
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -275,13 +275,24 @@
 int
 ssh_gssapi_userok(char *user)
 {
+	OM_uint32 lmin;
+
 	if (gssapi_client.exportedname.length == 0 ||
 	    gssapi_client.exportedname.value == NULL) {
 		debug("No suitable client data");
 		return 0;
 	}
 	if (gssapi_client.mech && gssapi_client.mech->userok)
-		return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+		if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+			return 1;
+		else {
+			/* Destroy delegated credentials if userok fails */
+			gss_release_buffer(&lmin, &gssapi_client.displayname);
+			gss_release_buffer(&lmin, &gssapi_client.exportedname);
+			gss_release_cred(&lmin, &gssapi_client.creds);
+			memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+			return 0;
+		}
 	else
 		debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
 	return (0);