Mike Dopheide dopheide at
Wed Nov 12 09:24:57 EST 2003

I believe there is a bug in how AIX handles the KRB5CCNAME environment 
variable.  The symptom occurs when a root user restarts sshd while they 
have KRB5CCNAME set; all of the resulting client connections will inherit 
the same KRB5CCNAME variable.  This can occur if the admin uses 'ksu' or 
some other kerberized method of obtaining root privileges.

Investigating this problem, I stumbled across some code in session.c that 
confused me a bit.  This code exists in the OpenSSH source from at least 
as far back as 3.1 to the current source tree.

On about line 1087 of session.c we see this:
#ifdef _AIX
                char *cp;

                if ((cp = getenv("AUTHSTATE")) != NULL)
                        child_set_env(&env, &envsize, "AUTHSTATE", cp);
                if ((cp = getenv("KRB5CCNAME")) != NULL)
                        child_set_env(&env, &envsize, "KRB5CCNAME", cp);
                read_environment_file(&env, &envsize, "/etc/environment");

It seems to me that this section of code takes the KRB5CCNAME from sshd 
(if it exists) and hands it off to the child.  My question is, why would 
you ever want to do this?

The next section of code is what confused me:
#ifdef KRB5
        if (s->authctxt->krb5_ticket_file)
                child_set_env(&env, &envsize, "KRB5CCNAME",

This would appear to overwrite KRB5CCNAME with (I'm assuming) the correct 
value.  For some reason it doesn't.  Any thoughts on what I'm missing?


More information about the openssh-unix-dev mailing list