|
 |
4be148 |
commit 26e202d26b47d62fbff4f153fc7f03cc300cc4ab
|
|
|
4be148 |
Author: Nalin Dahyabhai <nalin@redhat.com>
|
|
|
4be148 |
Date: Mon Sep 8 13:34:05 2014 -0400
|
|
|
4be148 |
|
|
|
4be148 |
Fix ksu crash in cases where it obtains the TGT
|
|
|
4be148 |
|
|
|
4be148 |
In order to allow ksu to use any locally-present service key for
|
|
|
4be148 |
verifying creds, the previous change to ksu switched from using a
|
|
|
4be148 |
retrieved or obtained TGT to fetch creds for the local "host" service,
|
|
|
4be148 |
and then passing those creds to krb5_verify_init_creds(), to passing the
|
|
|
4be148 |
retrieved TGT directly to krb5_verify_init_creds(). It did not take
|
|
|
4be148 |
care to retrieve the TGT from the temporary ccache if it had obtained
|
|
|
4be148 |
them, and in those cases it would attempt to verify NULL creds.
|
|
|
4be148 |
|
|
|
4be148 |
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
|
|
|
4be148 |
index dd0a127..bd37c9c 100644
|
|
|
4be148 |
--- a/src/clients/ksu/krb_auth_su.c
|
|
|
4be148 |
+++ b/src/clients/ksu/krb_auth_su.c
|
|
|
4be148 |
@@ -122,6 +122,17 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
|
|
|
4be148 |
return FALSE;
|
|
|
4be148 |
}
|
|
|
4be148 |
|
|
|
4be148 |
+ retval = krb5_cc_retrieve_cred(context, cc,
|
|
|
4be148 |
+ KRB5_TC_MATCH_SRV_NAMEONLY |
|
|
|
4be148 |
+ KRB5_TC_SUPPORTED_KTYPES,
|
|
|
4be148 |
+ &tgtq, &tgt);
|
|
|
4be148 |
+
|
|
|
4be148 |
+ if (! retval) retval = krb5_check_exp(context, tgt.times);
|
|
|
4be148 |
+
|
|
|
4be148 |
+ if (retval){
|
|
|
4be148 |
+ com_err(prog_name, retval, _("while getting initial credentials"));
|
|
|
4be148 |
+ return (FALSE) ;
|
|
|
4be148 |
+ }
|
|
|
4be148 |
#else
|
|
|
4be148 |
plain_dump_principal (context, client);
|
|
|
4be148 |
fprintf(stderr,
|