if (ctx->client_creds)
debug("Received some client credentials");
- else
+ else if (ctx->major == GSS_S_COMPLETE)
debug("Got no client credentials");
status = ctx->major;
* we flag the user as also having been authenticated
*/
- if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
- (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
- if (ssh_gssapi_getclient(ctx, &gssapi_client))
+ if (ctx->major == GSS_S_COMPLETE) {
+ if (options.gss_require_mic &&
+ ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+ debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+ } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
fatal("Couldn't convert client name");
+ }
}
return (status);
debug("No suitable client data");
return 0;
}
- if (!gss_userok(gssapi_client.name, user)) {
+
+ userok = gss_userok(gssapi_client.name, user);
+ if (userok) {
+ gssapi_client.used = 1;
+ gssapi_client.store.owner = pw;
+ } else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_name(&lmin, &gssapi_client.name);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
- return 0;
- }
-
- if (userok) {
- gssapi_client.used = 1;
- gssapi_client.store.owner = pw;
}
return (userok);
projects / openssh.git / blobdiff