From e67b64e7bc27e8c6b65f04a69a87176b0eb3be03 Mon Sep 17 00:00:00 2001
From: wollman <wollman@FreeBSD.org>
Date: Thu, 13 Apr 1995 15:20:35 +0000
Subject: Disallow Kerberos when S/Key is required.  Fixes PR #339.

Submitted by: Paul Traina <pst@Shockwave.com>
---
 usr.bin/login/login.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'usr.bin/login')

diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index c10e0e2..86e8c84 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -274,6 +274,17 @@ main(argc, argv)
 
 		if (pwd) {
 #ifdef KERBEROS
+#ifdef SKEY
+			/*
+			 * Do not allow user to type in kerberos password
+			 * over the net (actually, this is ok for encrypted
+			 * links, but we have no way of determining if the
+			 * link is encrypted.
+			 */
+			if (!permit_password) {
+				rval = 1;		/* failed */
+			} else
+#endif
 			rval = klogin(pwd, instance, localhost, p);
 			if (rval != 0 && rootlogin && pwd->pw_uid != 0)
 				rootlogin = 0;
-- 
cgit v1.1