1 files changed, 109 insertions, 34 deletions

diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c
index f7db523..1c23119 100644
--- a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c
+++ b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -38,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $");
+RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $");
 #endif
 #include <unistd.h>
 #include <sys/types.h>
@@ -52,10 +47,24 @@ RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $");
 #endif
 #include <roken.h>
 
-#if 0
+#ifdef KRB5
 static char krb5ccname[128];
 #endif
+#ifdef KRB4
 static char krbtkfile[128];
+#endif
+
+/* 
+   In some cases is afs_gettktstring called twice (once before
+   afs_verify and once after afs_verify).
+   In some cases (rlogin with access allowed via .rhosts) 
+   afs_verify is not called!
+   So we can't rely on correct value in krbtkfile in some
+   cases!
+*/
+
+static int correct_tkfilename=0;
+static int pag_set=0;
 
 #ifdef KRB4
 static void
@@ -63,9 +72,44 @@ set_krbtkfile(uid_t uid)
 {
     snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
     krb_set_tkt_string (krbtkfile);
+    correct_tkfilename = 1;
 }
 #endif
 
+/* XXX this has to be the default cache name, since the KRB5CCNAME
+ * environment variable isn't exported by login/xdm
+ */
+
+#ifdef KRB5
+static void
+set_krb5ccname(uid_t uid)
+{
+    snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid);
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+#endif
+    correct_tkfilename = 1;
+}
+#endif
+
+static void
+set_spec_krbtkfile(void)
+{
+    int fd;
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT);
+    fd = mkstemp(krbtkfile);
+    close(fd);
+    unlink(krbtkfile); 
+    krb_set_tkt_string (krbtkfile);
+#endif
+#ifdef KRB5
+    snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX");
+    fd=mkstemp(krb5ccname+5);
+    close(fd);
+    unlink(krb5ccname+5);
+#endif
+}
 
 #ifdef KRB5
 static int
@@ -76,42 +120,38 @@ verify_krb5(struct passwd *pwd,
 {
     krb5_context context;
     krb5_error_code ret;
-    char ticket[128];
     krb5_ccache ccache;
     krb5_principal principal;
-    krb5_realm realm;
     
     krb5_init_context(&context);
 
-    krb5_get_default_realm(context, &realm);
-    krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL);
-
-    if(!krb5_kuserok(context, principal, pwd->pw_name)) {
-	syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed");
+    ret = krb5_parse_name (context, pwd->pw_name, &principal);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", 
+	       krb5_get_err_text(context, ret));
 	goto out;
     }
-    /* XXX this has to be the default cache name, since the KRB5CCNAME
-       environment variable isn't exported by login/xdm
-       */
-    snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
-    ret = krb5_cc_resolve(context, ticket, &ccache);
+
+    set_krb5ccname(pwd->pw_uid);
+    ret = krb5_cc_resolve(context, krb5ccname, &ccache);
     if(ret) {
 	syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", 
 	       krb5_get_err_text(context, ret));
 	goto out;
     }
 
-    ret = krb5_verify_user(context,
-			   principal,
-			   ccache,
-			   password,
-			   TRUE,
-			   NULL);
+    ret = krb5_verify_user_lrealm(context,
+				  principal,
+				  ccache,
+				  password,
+				  TRUE,
+				  NULL);
     if(ret) {
 	syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", 
 	       krb5_get_err_text(context, ret));
 	goto out;
     }
+
     if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
 	syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", 
 	       krb5_get_err_text(context, errno));
@@ -119,17 +159,23 @@ verify_krb5(struct passwd *pwd,
     }
 
 #ifdef KRB4
-    {
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
 	CREDENTIALS c;
 	krb5_creds mcred, cred;
+        krb5_realm realm;
 
+        krb5_get_default_realm(context, &realm);
 	krb5_make_principal(context, &mcred.server, realm,
 			    "krbtgt",
 			    realm,
 			    NULL);
+	free (realm);
 	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
 	if(ret == 0) {
-	    ret = krb524_convert_creds_kdc(context, &cred, &c);
+	    ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
 	    if(ret)
 		krb5_warn(context, ret, "converting creds");
 	    else {
@@ -144,13 +190,13 @@ verify_krb5(struct passwd *pwd,
 	    
 	krb5_free_principal(context, mcred.server);
     }
-    if (k_hasafs()) {
+    if (!pag_set && k_hasafs()) {
 	k_setpag();
+	pag_set = 1;
 	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
 			     pwd->pw_uid, pwd->pw_dir);
     }
 #endif
-    
 out:
     if(ret && !quiet)
 	printf ("%s\n", krb5_get_err_text (context, ret));
@@ -173,8 +219,9 @@ verify_krb4(struct passwd *pwd,
 	ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
 			       KRB_VERIFY_SECURE, NULL);
 	if (ret == KSUCCESS) {
-	    if (k_hasafs()) {
+	    if (!pag_set && k_hasafs()) {
 		k_setpag ();
+		pag_set = 1;
 		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
 	    }
 	} else if (!quiet)
@@ -192,22 +239,50 @@ afs_verify(char *name,
 {
     int ret = 1;
     struct passwd *pwd = k_getpwnam (name);
+
     if(pwd == NULL)
 	return 1;
+    if (ret)
+	ret = unix_verify_user (name, password);
 #ifdef KRB5
-    ret = verify_krb5(pwd, password, exp, quiet);
+    if (ret)
+	ret = verify_krb5(pwd, password, exp, quiet);
 #endif
 #ifdef KRB4
     if(ret)
 	ret = verify_krb4(pwd, password, exp, quiet);
 #endif
-    if (ret)
-	ret = unix_verify_user (name, password);
     return ret;
 }
 
 char *
 afs_gettktstring (void)
 {
+    char *ptr;
+    struct passwd *pwd;
+
+    if (!correct_tkfilename) {
+	ptr = getenv("LOGNAME"); 
+	if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) {
+	    set_krb5ccname(pwd->pw_uid);
+#ifdef KRB4
+	    set_krbtkfile(pwd->pw_uid);
+	    if (!pag_set && k_hasafs()) {
+                k_setpag();
+                pag_set=1;
+	    }
+#endif
+	} else {
+	    set_spec_krbtkfile();
+	}
+    }
+#ifdef KRB5
+    setenv("KRB5CCNAME",krb5ccname,1);
+#endif
+#ifdef KRB4
+    setenv("KRBTKFILE",krbtkfile,1);
     return krbtkfile;
+#else
+    return "";
+#endif
 }