[krbdev.mit.edu #8015] git commit

Tom Yu via RT rt-comment at krbdev.mit.edu
Thu Sep 18 16:46:08 EDT 2014


Fix ksu crash in cases where it obtains the TGT

In order to allow ksu to use any locally-present service key for
verifying creds, the previous change to ksu switched from using a
retrieved or obtained TGT to fetch creds for the local "host" service,
and then passing those creds to krb5_verify_init_creds(), to passing the
retrieved TGT directly to krb5_verify_init_creds().

It did not take care to retrieve the TGT from the temporary ccache if it
had obtained them, and in those cases it would attempt to verify NULL
creds.

Modify the krb5_get_tkt_via_passwd() function to call
krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
options structure, and rename it to ksu_get_tgt_via_passwd().

(cherry picked from commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de)

https://github.com/krb5/krb5/commit/5ccab825a11b1c7f3edf4287d56202d00dd5b233
Author: Nalin Dahyabhai <nalin at redhat.com>
Committer: Tom Yu <tlyu at mit.edu>
Commit: 5ccab825a11b1c7f3edf4287d56202d00dd5b233
Branch: krb5-1.13
 src/clients/ksu/heuristic.c   |    4 +-
 src/clients/ksu/krb_auth_su.c |   58 ++++++++++++----------------------------
 src/clients/ksu/ksu.h         |   17 +++--------
 src/clients/ksu/main.c        |   56 ++++++++++++++++-----------------------
 4 files changed, 48 insertions(+), 87 deletions(-)



More information about the krb5-bugs mailing list