AIX KRB5CCNAME problem
Mike Dopheide
dopheide at ncsa.uiuc.edu
Thu Nov 13 12:03:37 EST 2003
In case anyone else was having this problem, I've submitted a patch to
OpenSSH's Bugzilla (Bug #757).
-Mike
> Mike Dopheide wrote:
> >
> > I believe there is a bug in how AIX handles the KRB5CCNAME environment
> > variable. The symptom occurs when a root user restarts sshd while they
> > have KRB5CCNAME set; all of the resulting client connections will inherit
> > the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or
> > some other kerberized method of obtaining root privileges.
> [snip]
> > On about line 1087 of session.c we see this:
> [snip code]
> > It seems to me that this section of code takes the KRB5CCNAME from sshd
> > (if it exists) and hands it off to the child. My question is, why would
> > you ever want to do this?
>
> I've never used Kerberos on AIX but I would guess that this is to handle
> the case where KRB5CCNAME is set by one of the modules called by the AIX's
> authenticate() function.
>
> It would seem that KRB5CCNAME should be cleared from the sshd's
> environment when it starts up to prevent the situation you're describing.
>
>
--
More information about the openssh-unix-dev
mailing list