From donn@u.washington.edu Tue Oct 5 20:01:06 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA03448 for <bugs@RT-11.MIT.EDU>; Tue, 5 Oct 1999 20:01:05 -0400
Received: from jason02.u.washington.edu by MIT.EDU with SMTP
id AA23971; Tue, 5 Oct 99 20:01:06 EDT
Received: from saul8.u.washington.edu (donn@saul8.u.washington.edu [140.142.82.3])
by jason02.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) with ESMTP id RAA14898
for <krb5-bugs@mit.edu>; Tue, 5 Oct 1999 17:01:01 -0700
Received: (from donn@localhost)
by saul8.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) id RAA22680;
Tue, 5 Oct 1999 17:01:00 -0700 (PDT)
Message-Id: <199910060001.RAA22680@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 17:01:00 -0700 (PDT)
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: destroy tickets option
X-Send-Pr-Version: 3.99
University of Washington
Machine: RS/6000
do Kerberos authentication. By policy, we do not leave tickets on the host
during the session, due to least-common-denominator concerns about /tmp
security. The additional login option 'krb5_destroy_tickets' controls that.
recoding at the end also belongs to a previous bug report.]
*** login.c.dist Thu Sep 23 15:40:09 1999
--- login.c Tue Oct 5 16:41:11 1999
***************
*** 48,53 ****
--- 48,54 ----
*/
#define KRB5_GET_TICKETS
int login_krb5_get_tickets = 1;
+ int login_krb5_destroy_tickets = 0;
#ifdef KRB5_KRB4_COMPAT
#define KRB4_GET_TICKETS
***************
*** 343,348 ****
--- 344,350 ----
} login_conf_set[] = {
#ifdef KRB5_GET_TICKETS
"krb5_get_tickets", &login_krb5_get_tickets,
+ "krb5_destroy_tickets", &login_krb5_destroy_tickets,
#endif
#ifdef KRB5_KRB4_COMPAT
"krb4_get_tickets", &login_krb4_get_tickets,
***************
*** 1630,1652 ****
*/
#ifdef KRB5_GET_TICKETS
! if (got_v5_tickets) {
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! if (retval = krb5_cc_default(kcontext, &ccache)) {
com_err(argv[0], retval, "while getting default ccache");
! } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
! com_err(argv[0], retval, "when initializing cache");
! } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
! com_err(argv[0], retval, "while storing credentials");
! } else if (xtra_creds &&
! (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache))) {
! com_err(argv[0], retval, "while storing credentials");
}
-
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
--- 1623,1654 ----
*/
#ifdef KRB5_GET_TICKETS
! if (got_v5_tickets && !login_krb5_destroy_tickets) {
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! retval = krb5_cc_default(kcontext, &ccache);
! if (retval)
com_err(argv[0], retval, "while getting default ccache");
! else {
! retval = krb5_cc_initialize(kcontext, ccache, me);
! if (retval)
! com_err(argv[0], retval, "when initializing cache");
! else {
! retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! else {
! if (xtra_creds) {
! retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! krb5_cc_destroy(kcontext, xtra_creds);
! }
! }
! }
}
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
***************
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA03448 for <bugs@RT-11.MIT.EDU>; Tue, 5 Oct 1999 20:01:05 -0400
Received: from jason02.u.washington.edu by MIT.EDU with SMTP
id AA23971; Tue, 5 Oct 99 20:01:06 EDT
Received: from saul8.u.washington.edu (donn@saul8.u.washington.edu [140.142.82.3])
by jason02.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) with ESMTP id RAA14898
for <krb5-bugs@mit.edu>; Tue, 5 Oct 1999 17:01:01 -0700
Received: (from donn@localhost)
by saul8.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) id RAA22680;
Tue, 5 Oct 1999 17:01:00 -0700 (PDT)
Message-Id: <199910060001.RAA22680@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 17:01:00 -0700 (PDT)
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: destroy tickets option
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 766
>Category: krb5-appl
>Synopsis: request destroy_ticket option to complement login get_ticket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 20:02:01 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University Computing Services>Category: krb5-appl
>Synopsis: request destroy_ticket option to complement login get_ticket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 20:02:01 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University of Washington
Show quoted text
>Release: krb5-1.1
>Environment:
System: AIX 4.2>Environment:
Machine: RS/6000
Show quoted text
>Description:
We use Kerberos passwords on telnet login, when the client software can'tdo Kerberos authentication. By policy, we do not leave tickets on the host
during the session, due to least-common-denominator concerns about /tmp
security. The additional login option 'krb5_destroy_tickets' controls that.
Show quoted text
>How-To-Repeat:
Show quoted text
>Fix:
[Line numbers reflect other patches reported separately, and all therecoding at the end also belongs to a previous bug report.]
*** login.c.dist Thu Sep 23 15:40:09 1999
--- login.c Tue Oct 5 16:41:11 1999
***************
*** 48,53 ****
--- 48,54 ----
*/
#define KRB5_GET_TICKETS
int login_krb5_get_tickets = 1;
+ int login_krb5_destroy_tickets = 0;
#ifdef KRB5_KRB4_COMPAT
#define KRB4_GET_TICKETS
***************
*** 343,348 ****
--- 344,350 ----
} login_conf_set[] = {
#ifdef KRB5_GET_TICKETS
"krb5_get_tickets", &login_krb5_get_tickets,
+ "krb5_destroy_tickets", &login_krb5_destroy_tickets,
#endif
#ifdef KRB5_KRB4_COMPAT
"krb4_get_tickets", &login_krb4_get_tickets,
***************
*** 1630,1652 ****
*/
#ifdef KRB5_GET_TICKETS
! if (got_v5_tickets) {
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! if (retval = krb5_cc_default(kcontext, &ccache)) {
com_err(argv[0], retval, "while getting default ccache");
! } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
! com_err(argv[0], retval, "when initializing cache");
! } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
! com_err(argv[0], retval, "while storing credentials");
! } else if (xtra_creds &&
! (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache))) {
! com_err(argv[0], retval, "while storing credentials");
}
-
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
--- 1623,1654 ----
*/
#ifdef KRB5_GET_TICKETS
! if (got_v5_tickets && !login_krb5_destroy_tickets) {
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! retval = krb5_cc_default(kcontext, &ccache);
! if (retval)
com_err(argv[0], retval, "while getting default ccache");
! else {
! retval = krb5_cc_initialize(kcontext, ccache, me);
! if (retval)
! com_err(argv[0], retval, "when initializing cache");
! else {
! retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! else {
! if (xtra_creds) {
! retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! krb5_cc_destroy(kcontext, xtra_creds);
! }
! }
! }
}
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
***************
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: