[Bug 2107] seccomp sandbox breaks GSSAPI
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Aug 9 22:02:44 AEST 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2107
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #11 from Jakub Jelen <jjelen at redhat.com> ---
It looks like I am late for the party, but this unfortunately does not
address the issue completely. For some reasons, the configuration can
look like this:
GSSAPIAuthentication no
Match User root
GSSAPIAuthentication yes
and in this case, the caching mechanisms will not be triggered, the
separated child will try to load the data later and fail:
Program received signal SIGSYS, Bad system call.
[Switching to Thread 0x7f67e97f88c0 (LWP 9647)]
0x00007f67e4c3de39 in pthread_once () from /lib64/libpthread.so.0
(gdb) bt
#0 0x00007f67e4c3de39 in pthread_once () from /lib64/libpthread.so.0
#1 0x00007f67e3379b68 in krb5int_pthread_loaded () from
/lib64/libkrb5support.so.0
#2 0x00007f67e337a0f1 in k5_once () from /lib64/libkrb5support.so.0
#3 0x00007f67e74021e7 in gssint_mechglue_initialize_library () from
/lib64/libgssapi_krb5.so.2
#4 0x00007f67e74022b5 in gss_indicate_mechs () from
/lib64/libgssapi_krb5.so.2
#5 0x00005594c41f2e4f in ssh_gssapi_supported_oids (
oidset=oidset at entry=0x5594c4490088 <supported_oids>) at
gss-serv.c:179
#6 0x00005594c41f2f55 in ssh_gssapi_prepare_supported_oids () at
gss-serv.c:82
#7 ssh_gssapi_test_oid_supported (ms=0x7ffc60dc75f0,
member=0x7ffc60dc7600, present=0x7ffc60dc75ec)
at gss-serv.c:89
#8 0x00005594c41f23d8 in userauth_gssapi (authctxt=0x5594c48fe500) at
auth2-gss.c:127
#9 0x00005594c41e0b1c in input_userauth_request (type=<optimized out>,
seq=<optimized out>,
ctxt=0x5594c48fe500) at auth2.c:295
#10 0x00005594c42227a9 in ssh_dispatch_run
(ssh=ssh at entry=0x5594c49008c0, mode=mode at entry=0,
done=done at entry=0x5594c48fe500, ctxt=ctxt at entry=0x5594c48fe500) at
dispatch.c:119
#11 0x00005594c42227f9 in ssh_dispatch_run_fatal (ssh=0x5594c49008c0,
mode=mode at entry=0,
done=done at entry=0x5594c48fe500, ctxt=ctxt at entry=0x5594c48fe500) at
dispatch.c:140
#12 0x00005594c41dfde9 in do_authentication2
(authctxt=authctxt at entry=0x5594c48fe500) at auth2.c:175
#13 0x00005594c41d1ee7 in main (ac=<optimized out>, av=<optimized out>)
at sshd.c:2191
Collin, can you confirm you can reproduce the same issue?
I can not think about sensible way around this without initializing the
kerberos library and loading the OIDs unconditionally.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list