Mike Dopheide dopheide at
Thu Nov 13 12:03:37 EST 2003

In case anyone else was having this problem, I've submitted a patch to
OpenSSH's Bugzilla (Bug #757).


> Mike Dopheide wrote:
> > 
> > I believe there is a bug in how AIX handles the KRB5CCNAME environment
> > variable.  The symptom occurs when a root user restarts sshd while they
> > have KRB5CCNAME set; all of the resulting client connections will inherit
> > the same KRB5CCNAME variable.  This can occur if the admin uses 'ksu' or
> > some other kerberized method of obtaining root privileges.
> [snip]
> > On about line 1087 of session.c we see this:
> [snip code]
> > It seems to me that this section of code takes the KRB5CCNAME from sshd
> > (if it exists) and hands it off to the child.  My question is, why would
> > you ever want to do this?
> I've never used Kerberos on AIX but I would guess that this is to handle
> the case where KRB5CCNAME is set by one of the modules called by the AIX's
> authenticate() function.
> It would seem that KRB5CCNAME should be cleared from the sshd's
> environment when it starts up to prevent the situation you're describing.


More information about the openssh-unix-dev mailing list