Bug fix: When the client connects to a server and Kerberos
authentication is enabled, the client effectively ignores any error from krb5_rd_rep due to a missing branch. In theory this could result in an ssh client using Kerberos 5 authentication accepting a spoofed AP-REP. I doubt this is a real possiblity, however, because the AP-REP is passed from the server to the client via the SSH encrypted channel. Any tampering should cause the decryption or MAC to fail. Approved by: green MFC after: 1 week
This commit is contained in:
@@ -802,6 +802,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
|
||||
problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
|
||||
if (problem) {
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
ret = 1;
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user