Bug fix: When the client connects to a server and Kerberos

authentication is enabled, the client effectively ignores any error from krb5_rd_rep due to a missing branch. In theory this could result in an ssh client using Kerberos 5 authentication accepting a spoofed AP-REP. I doubt this is a real possiblity, however, because the AP-REP is passed from the server to the client via the SSH encrypted channel. Any tampering should cause the decryption or MAC to fail. Approved by: green MFC after: 1 week
author: nectar <nectar@FreeBSD.org> 2001-07-13 18:12:13 +0000
committer: nectar <nectar@FreeBSD.org> 2001-07-13 18:12:13 +0000
commit: 0e7f0df834bc075db63f8142d799d31036a37bd3 (patch)
tree: ca0f98072dcaca6a3189c501f46ac345b9faecc7 /crypto
parent: 2d388a1550ead8c438862577afebe5e5d2be978b (diff)
download: FreeBSD-src-0e7f0df834bc075db63f8142d799d31036a37bd3.zip
FreeBSD-src-0e7f0df834bc075db63f8142d799d31036a37bd3.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index eb3e66a..679660f 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -802,6 +802,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
                 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
                 if (problem) { 
 		   ret = 0;
+		   goto out;
                 } 
 		ret = 1;
 		break;
author	nectar <nectar@FreeBSD.org>	2001-07-13 18:12:13 +0000
committer	nectar <nectar@FreeBSD.org>	2001-07-13 18:12:13 +0000
commit	0e7f0df834bc075db63f8142d799d31036a37bd3 (patch)
tree	ca0f98072dcaca6a3189c501f46ac345b9faecc7 /crypto
parent	2d388a1550ead8c438862577afebe5e5d2be978b (diff)
download	FreeBSD-src-0e7f0df834bc075db63f8142d799d31036a37bd3.zip FreeBSD-src-0e7f0df834bc075db63f8142d799d31036a37bd3.tar.gz