[Bug 2204] New: gssapi-with-mic and UsePrivilegeSeparation sandbox

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Feb 23 04:34:08 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2204

            Bug ID: 2204
           Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: georg at steffers.org

Authentication with gssapi-with-mic does not work when
using privilegeSeparation sandbox.

Howto reproduce:

- Use openssh in a kerborized environment.
- activate authentication with gssapi
- activate UsePrivilegeSeparation sandbox
- try to login with a TGT.

Result:

The sshd simply drops the connection without any information
about what happened.

Expected result:

If possible a succesfull login or if not at least when turning
on debugging an information why the login failed.

Additional information:

When doing an strace with the sshd I can't find even an evidence
that the krb5.keytab is tried to beloaded. I guess that sandbox
created some kind of chroot which prevents gssapi from reading
this file at all. Maybe it is possible to initialize the gssapi
before the sandbox is initialized but if that is not possible there
should be at least an information what has happened.

best regards
   Georg Hopp

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list