From 9dc6c7dbec0716157e561036c480bca1bc3c7e47 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 2 Feb 2005 18:30:33 +1100 Subject: [PATCH] - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child the process. Since we also unset KRB5CCNAME at startup, if it's set after authentication it must have been set by the platform's native auth system. This was already done for AIX; this enables it for the general case. --- ChangeLog | 6 +++++- session.c | 14 ++++++++++++-- sshd.c | 6 +++--- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 82758ca10..d9670f361 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ Make record_failed_login() call provide hostname rather than having the implementations having to do lookups themselves. Only affects AIX and UNICOS (the latter only uses the "user" parameter anyway). ok djm@ + - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child + the process. Since we also unset KRB5CCNAME at startup, if it's set after + authentication it must have been set by the platform's native auth system. + This was already done for AIX; this enables it for the general case. 20050201 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some @@ -2059,4 +2063,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3630 2005/02/02 06:10:11 dtucker Exp $ +$Id: ChangeLog,v 1.3631 2005/02/02 07:30:33 dtucker Exp $ diff --git a/session.c b/session.c index 7f10abf7c..4d7ac9de7 100644 --- a/session.c +++ b/session.c @@ -1090,14 +1090,24 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); #endif /* _UNICOS */ + /* + * Since we clear KRB5CCNAME at startup, if it's set now then it + * must have been set by a native authentication method (eg AIX or + * SIA), so copy it to the child. + */ + { + char *cp; + + if ((cp = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env, &envsize, "KRB5CCNAME", cp); + } + #ifdef _AIX { char *cp; if ((cp = getenv("AUTHSTATE")) != NULL) child_set_env(&env, &envsize, "AUTHSTATE", cp); - if ((cp = getenv("KRB5CCNAME")) != NULL) - child_set_env(&env, &envsize, "KRB5CCNAME", cp); read_environment_file(&env, &envsize, "/etc/environment"); } #endif diff --git a/sshd.c b/sshd.c index 7f268526f..23d6962c0 100644 --- a/sshd.c +++ b/sshd.c @@ -1030,13 +1030,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); -#ifdef _AIX /* * Unset KRB5CCNAME, otherwise the user's session may inherit it from * root's environment */ - unsetenv("KRB5CCNAME"); -#endif /* _AIX */ + if (getenv("KRB5CCNAME") != NULL) + unsetenv("KRB5CCNAME"); + #ifdef _UNICOS /* Cray can define user privs drop all privs now! * Not needed on PRIV_SU systems!