- (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check

   rather than full client name which may be of form user@REALM;
   patch from Miguel Sanders; ok dtucker@

diff --git a/ChangeLog b/ChangeLog
index a4af4e897014e40f17bb031abea6f7d5f3cb668a..26b5c5d7a3bf4162ca43f1a8b8ab3f6659f4e452 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20131024
+ - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
+   rather than full client name which may be of form user@REALM;
+   patch from Miguel Sanders; ok dtucker@
+
 20131023
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2013/10/20 04:39:28

diff --git a/auth-krb5.c b/auth-krb5.c
index 7c83f597f049bb6bdd076ca13f26a0588deeefc6..6c62bdf54a516edbabdd68dbfedfd2645af6acfe 100644 (file)
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -157,7 +157,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        if (problem)
                goto out;
 
-       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
+           authctxt->pw->pw_name)) {
                problem = -1;
                goto out;
        }