diff --git a/ChangeLog b/ChangeLog index 82758ca10..d9670f361 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ Make record_failed_login() call provide hostname rather than having the implementations having to do lookups themselves. Only affects AIX and UNICOS (the latter only uses the "user" parameter anyway). ok djm@ + - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child + the process. Since we also unset KRB5CCNAME at startup, if it's set after + authentication it must have been set by the platform's native auth system. + This was already done for AIX; this enables it for the general case. 20050201 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some @@ -2059,4 +2063,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3630 2005/02/02 06:10:11 dtucker Exp $ +$Id: ChangeLog,v 1.3631 2005/02/02 07:30:33 dtucker Exp $ diff --git a/session.c b/session.c index 7f10abf7c..4d7ac9de7 100644 --- a/session.c +++ b/session.c @@ -1090,14 +1090,24 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); #endif /* _UNICOS */ + /* + * Since we clear KRB5CCNAME at startup, if it's set now then it + * must have been set by a native authentication method (eg AIX or + * SIA), so copy it to the child. + */ + { + char *cp; + + if ((cp = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env, &envsize, "KRB5CCNAME", cp); + } + #ifdef _AIX { char *cp; if ((cp = getenv("AUTHSTATE")) != NULL) child_set_env(&env, &envsize, "AUTHSTATE", cp); - if ((cp = getenv("KRB5CCNAME")) != NULL) - child_set_env(&env, &envsize, "KRB5CCNAME", cp); read_environment_file(&env, &envsize, "/etc/environment"); } #endif diff --git a/sshd.c b/sshd.c index 7f268526f..23d6962c0 100644 --- a/sshd.c +++ b/sshd.c @@ -1030,13 +1030,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); -#ifdef _AIX /* * Unset KRB5CCNAME, otherwise the user's session may inherit it from * root's environment */ - unsetenv("KRB5CCNAME"); -#endif /* _AIX */ + if (getenv("KRB5CCNAME") != NULL) + unsetenv("KRB5CCNAME"); + #ifdef _UNICOS /* Cray can define user privs drop all privs now! * Not needed on PRIV_SU systems!