sshd deletes the GSSAPI ticket on exit
sxw at inf.ed.ac.uk
sxw at inf.ed.ac.uk
Wed Jun 29 19:23:31 EST 2005
On Wed, 29 Jun 2005, Senthil Kumar wrote:
> I have run into a situation where a user exiting from a
> PAM_KERBEROS-authenticated session runs the risk of deleting a
> kinit-generated credentials file that was already sitting on the server.
There seem to be a number of misconceptions in your email.
Firstly, what you're describing has nothing at all to do with GSSAPI, or
the support for GSSAPI in OpenSSH. GSSAPI is an API which provides a means
of performing authentication options - it doesn't provide ticket formats
or storage - both are properties of the underlying authentication
mechanism.
Secondly, whilst OpenSSH does call pam_setcred(DELETE_CRED) on session
exit, it only does so if an earlier call successfully established
credentials. The danger is that many PAM modules also call their setcred()
function when close_session() is called.
Finally, if a PAM module deletes a ccache that it didn't create, then that
module is broken. Certainly, if it works in the way that you describe
and trusts the KRB5CCNAME varibale, its fundamentaly flawed.
So, it's not really OpenSSH's problem. I'd suggest speaking to the vendor
of your PAM module.
Cheers,
Simon.
More information about the openssh-unix-dev
mailing list