windigo post-mortem

Kevin Brott kevin.brott at gmail.com
Sat Mar 22 01:48:11 EST 2014


Confirmed - it appears to be linked into libgssapi_krb5.so and libkrb5.so,
which in Debian is provided by libgssapi-krb5-2 and libkrb5-3, which are
both direct dependency of the openssh-server package.

The link chain goes like so sshd <- libkrb5.so <- libkeyutils.so

It's in RHEL as far back at least 5.4 (while it exists in 4.6 it's not
linked into ssh), keyutils-libs is a dependency of krb5-libs - so it's
still an indirect dependency of the openssh-server package.



On Fri, Mar 21, 2014 at 7:04 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>wrote:

> On Fri 2014-03-21 03:35:20 -0400, Damien Miller <djm at mindrot.org> wrote:
> > What is libkeyutils.so? Is it linked to by some vendor patch? AFAIK
> > pristine OpenSSH never links to it.
>
> It's for the Linux kernel's stored-key API.
>
> From debian:
>
> Package: libkeyutils1
> Source: keyutils
> Version: 1.5.6-1
> Installed-Size: 20
> Maintainer: Luk Claes <luk at debian.org>
> Architecture: amd64
> Depends: libc6 (>= 2.14)
> Pre-Depends: multiarch-support
> Description-en: Linux Key Management Utilities (library)
>  Keyutils is a set of utilities for managing the key retention facility in
> the
>  kernel, which can be used by filesystems, block devices and more to gain
> and
>  retain the authorization and encryption keys required to perform secure
>  operations.
>  .
>  This package provides a wrapper library for the key management facility
> system
>  calls.
> Description-md5: 5c4d88a0a818e5ef897f2a9fa5c3ac2d
> Multi-Arch: same
> Homepage: http://people.redhat.com/~dhowells/keyutils/
> Tag: implemented-in::c, role::shared-lib
> Section: libs
> Priority: standard
> Filename: pool/main/k/keyutils/libkeyutils1_1.5.6-1_amd64.deb
> Size: 8758
> MD5sum: cec68a56387ef750ca89716761f59ed2
> SHA1: fd7b6baa5aca294775ef8f9c51e65e003d641ed9
> SHA256: b8f0d88776c44d59d30528d8ef81dba3a2519a53b71c8fe915a406f2e7a49bf1
>
> It is a reverse dependency of libkrb5-3 and other k5 libraries, so it's
> brought in by the gssapi vendor patchset, i think.
>
> hth,
>
>         --dkg
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */


More information about the openssh-unix-dev mailing list