[Bug 2204] New: gssapi-with-mic and UsePrivilegeSeparation sandbox
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Feb 23 04:34:08 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2204
Bug ID: 2204
Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox
Product: Portable OpenSSH
Version: 6.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: georg at steffers.org
Authentication with gssapi-with-mic does not work when
using privilegeSeparation sandbox.
Howto reproduce:
- Use openssh in a kerborized environment.
- activate authentication with gssapi
- activate UsePrivilegeSeparation sandbox
- try to login with a TGT.
Result:
The sshd simply drops the connection without any information
about what happened.
Expected result:
If possible a succesfull login or if not at least when turning
on debugging an information why the login failed.
Additional information:
When doing an strace with the sshd I can't find even an evidence
that the krb5.keytab is tried to beloaded. I guess that sandbox
created some kind of chroot which prevents gssapi from reading
this file at all. Maybe it is possible to initialize the gssapi
before the sandbox is initialized but if that is not possible there
should be at least an information what has happened.
best regards
Georg Hopp
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list