[Heimdal-source-changes] [heimdal/heimdal] ca052e: Fix gss_inquire_cred_by_mech.

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: ca052eadd5590e9d7feafc2b7b805a2e1c577c92
      https://github.com/heimdal/heimdal/commit/ca052eadd5590e9d7feafc2b7b805a2e1c577c92
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2015-03-10 (Tue, 10 Mar 2015)

  Changed paths:
    M lib/gssapi/krb5/inquire_cred.c
    M lib/gssapi/krb5/inquire_cred_by_mech.c

  Log Message:
  -----------
  Fix gss_inquire_cred_by_mech.

Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials.  In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:

    ssh_gssapi_accept_ctx() ->
  ssh_gssapi_getclient() ->
	    gss_inquire_cred_by_mech()

When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!


  Commit: fca6363307d03a7c80ad201f17f5d357b794c4e9
      https://github.com/heimdal/heimdal/commit/fca6363307d03a7c80ad201f17f5d357b794c4e9
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2015-03-10 (Tue, 10 Mar 2015)

  Changed paths:
    M lib/gssapi/krb5/accept_sec_context.c

  Log Message:
  -----------
  Drop delegated creds when target is NULL

In gsskrb5_accept_delegated_token() it is wrong to store the delegated
credentials in the default ccache by default.  When the caller does not
provide a target credential handle, we just do nothing and return success.

Test the return value of gsskrb5_accept_delegated_token() against
GSS_S_COMPLETE, rather than 0.


Compare: https://github.com/heimdal/heimdal/compare/84852509896a...fca6363307d0