sshd deletes the GSSAPI ticket on exit

Darren Tucker dtucker at zip.com.au
Wed Jun 29 19:12:08 EST 2005


Senthil Kumar wrote:
[...]
> If a user (ssh) session was such that it skipped pam_authenticate() during 
> login (probably because it used a Key-based auth method),  then is it all 
> right for sshd to correspondingly skip pam_setcred() during session exit? 

No. setcred should be called before and after.

> What will happen if we take that approach?

Depends on what everybody's modules do.  Could be anything.

> As I understand it,  pam_setcred() is called as part of the authentication 
> phase as well as part of the session exit phase.  When called during 
> authentication,  pam_setcred() sets the KRB5CCNAME environment variable to 
> the credentials file name,  and when called during session exit, 
> pam_setcred() is called to delete that credentials file.

setcred isn't called as part of authentication, at least not directly. 
It's called as part of session establishment (with privsep it's called 
quite early, though).

[snip description]

> Alternatively, we could do something in sshd.  If pam_setcred() was not 
> called during authentication, then don't call pam_setcred() during session 
> exit either.

pam_setcred() is (should be) always called during session initiation.

> Could there be any problems with this approach?

Yes.  You're assuming that kerberos is the only user of pam_setcred and 
that's not necessarily so.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list