[Heimdal-source-changes] [heimdal/heimdal] ca052e: Fix gss_inquire_cred_by_mech.
GitHub
noreply at github.com
Tis Mars 10 04:12:14 CET 2015
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: ca052eadd5590e9d7feafc2b7b805a2e1c577c92
https://github.com/heimdal/heimdal/commit/ca052eadd5590e9d7feafc2b7b805a2e1c577c92
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2015-03-10 (Tue, 10 Mar 2015)
Changed paths:
M lib/gssapi/krb5/inquire_cred.c
M lib/gssapi/krb5/inquire_cred_by_mech.c
Log Message:
-----------
Fix gss_inquire_cred_by_mech.
Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials. In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:
ssh_gssapi_accept_ctx() ->
ssh_gssapi_getclient() ->
gss_inquire_cred_by_mech()
When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
Commit: fca6363307d03a7c80ad201f17f5d357b794c4e9
https://github.com/heimdal/heimdal/commit/fca6363307d03a7c80ad201f17f5d357b794c4e9
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2015-03-10 (Tue, 10 Mar 2015)
Changed paths:
M lib/gssapi/krb5/accept_sec_context.c
Log Message:
-----------
Drop delegated creds when target is NULL
In gsskrb5_accept_delegated_token() it is wrong to store the delegated
credentials in the default ccache by default. When the caller does not
provide a target credential handle, we just do nothing and return success.
Test the return value of gsskrb5_accept_delegated_token() against
GSS_S_COMPLETE, rather than 0.
Compare: https://github.com/heimdal/heimdal/compare/84852509896a...fca6363307d0
More information about the Heimdal-source-changes
mailing list