SSHD does not cleanup kerberos ticket while root logins
Michal Prochazka
michalp at ics.muni.cz
Tue Dec 2 22:53:11 EST 2008
Hi all,
It looks like a bug for me, but I'd like to ask if someone has the same
problem. We are using OpenSSH 4.3p2 from Debian 4.0 (stable), but the
same problem is with original OpenSSH 4.3p2. When root logins with his
kerberos ticket and then logout, his ticket remains on the machine. I
found in source (sshd.c) in privsep_postauth function, that if root
logins then use_privsep is set to 0 and call of function
do_setusercontext is skipped. But the function do_setusercontext calls
ssh_gssapi_storecreds where structure client->store.filename is filled
with the filename of kerberos ticket. So then if
ssh_gssapi_cleanup_creds is called it does nothing because
gssapi_client.store.filename is empty.
We are using also pam_krb5, but with option minimal_uid=200, so the root
login is not affected.
My sshd_config:
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
RhostsRSAAuthentication
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Regards,
Michal P.
--
Michal Prochazka // michalp at ics.muni.cz
Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ
CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2933 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081202/5c92c9bd/attachment-0001.bin
More information about the openssh-unix-dev
mailing list