[Bug 1945] New: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 20 19:55:37 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1945

             Bug #: 1945
           Summary: Only 1 of the 2 krb cache files is removed on closing
                    the ssh connection with UsePrivilegeSeparation=yes
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: HP-UX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: balu9463 at gmail.com


This is my first bug report, request you to correct me if necessary.

For a non root user, When ChallengeResponse is used with PAM_Kerberos
and UsePrivilegeSeparation=yes, sshd creates two
credential files in /tmp, and at the end of the session only one
is removed


$ssh system1
.
.
$ ps -ef | grep ssh
    root   170     1  0 14:01:58 ?         0:00 /opt/ssh/sbin/sshd
    test   245   243  0 14:03:41 ?         0:00 sshd: test at pts/0
    test   242   225  0 14:03:39 pts/tb    0:00 ssh system1
    root   243   170  0 14:03:39 ?         0:02 sshd: test [priv]

$ ll /tmp/krb5cc*
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_170_243
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_243_245


Env KRB5CCNAME is set to
KRB5CCNAME=FILE:/tmp/krb5cc_243_245


On closing the session,the cache file corresponding to the nonpriv
process is not removed.
$  ll /tmp/krb5cc*
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_243_245

I have tested this on hpux but believe the same behaviour on other OS
as well.

Probable fix is to change the condition in 
sshpam_cleanup(void)/auth-pam.c

<       if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
---
>       if (sshpam_handle == NULL && (use_privsep && !mm_is_monitor()))

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list