sshd deletes the GSSAPI ticket on exit
Senthil Kumar
senthilkumar_sen at hotpop.com
Sat Jul 2 03:50:31 EST 2005
Simon wrote:
> Secondly, whilst OpenSSH does call pam_setcred(DELETE_CRED) on session
> exit, it only does so if an earlier call successfully established
> credentials. The danger is that many PAM modules also call their setcred()
> function when close_session() is called.
Ya, its the variable sshpam_cred_established that is responsible for this.
> So, it's not really OpenSSH's problem. I'd suggest speaking to the vendor
> of your PAM module.
>
Ok, Let me check with them.
Darren wrote:
>Sounds like the underlying problem is that you PAM module is zapping
>credential caches that it didn't create.
Yes, it checks first for its credential and if not found deletes the one it
doesn't create.
Thanks,
Senthil.
----- Original Message -----
From: <sxw at inf.ed.ac.uk>
To: "Senthil Kumar" <senthilkumar_sen at hotpop.com>
Cc: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org>
Sent: Wednesday, June 29, 2005 2:53 PM
Subject: Re: sshd deletes the GSSAPI ticket on exit
> On Wed, 29 Jun 2005, Senthil Kumar wrote:
>
>> I have run into a situation where a user exiting from a
>> PAM_KERBEROS-authenticated session runs the risk of deleting a
>> kinit-generated credentials file that was already sitting on the server.
>
> There seem to be a number of misconceptions in your email.
>
> Firstly, what you're describing has nothing at all to do with GSSAPI, or
> the support for GSSAPI in OpenSSH. GSSAPI is an API which provides a means
> of performing authentication options - it doesn't provide ticket formats
> or storage - both are properties of the underlying authentication
> mechanism.
>
> Secondly, whilst OpenSSH does call pam_setcred(DELETE_CRED) on session
> exit, it only does so if an earlier call successfully established
> credentials. The danger is that many PAM modules also call their setcred()
> function when close_session() is called.
>
> Finally, if a PAM module deletes a ccache that it didn't create, then that
> module is broken. Certainly, if it works in the way that you describe
> and trusts the KRB5CCNAME varibale, its fundamentaly flawed.
>
> So, it's not really OpenSSH's problem. I'd suggest speaking to the vendor
> of your PAM module.
>
> Cheers,
>
> Simon.
>
>
>
More information about the openssh-unix-dev
mailing list