Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 201341 - sshd no longer stores forwarded gssapi creds before opening the pam session
Summary: sshd no longer stores forwarded gssapi creds before opening the pam session
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: FC6Target
TreeView+ depends on / blocked
 
Reported: 2006-08-04 14:55 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: openssh-4.3p2-8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-10 13:14:46 UTC


Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-08-04 14:55:26 UTC
Description of problem:
OpenSSH 4.3p2-7 adds a patch which moves PAM session management from the child
process to the monitor when privilege separation is enabled.  It is still the
child which stores forwarded credentials when GSSAPI authentication is used,
though, so the PAM session module no longer has access to those credentials.

Version-Release number of selected component (if applicable):
4.3p2-7

How reproducible:
Always

Steps to Reproduce:
1. Configure pam_krb5 with the "external=sshd" option.
2. Configure syslog to log "debug" priority messages somewhere.
3. Attempt to log in using both GSSAPI authentication and credential delegation.
  
Actual results:
pam_krb5 logs that during pam_open_session, $KRB5CCNAME has not been set.  (I
can log in, but my AFS-based home directory is not accessible.)

Expected results:
pam_krb5 should find valid credentials in the location pointed to by $KRB5CCNAME
so that it can use them to obtain AFS tokens.

Additional info:
This also affects pam_afs2 and pam_openafs_session.  More discussion on how
those modules work can be found in the thread at
http://lists.openafs.org/pipermail/openafs-info/2005-April/017512.html

Comment 1 Tomas Mraz 2006-08-04 15:11:51 UTC
Nalin, do you have any ideas how to fix that other than removing the mentioned
patch? I think that the only solution which would also completely fix the
http://bugzilla.mindrot.org/show_bug.cgi?id=926 would be to leave the pam calls
where they are and add another fork before the setuid calls and exec of the shell.

For now I will probably remove the mentioned patch.


Comment 2 Tomas Mraz 2006-08-10 13:14:46 UTC
I removed the problematic patch.

Comment 3 Tomas Mraz 2006-11-28 21:22:29 UTC
Nalin, could you please try openssh-4.3p2-13.fc7 from rawhide? It contains
improved pam-session patch which should not cause this bug anymore.


Comment 4 Nalin Dahyabhai 2006-11-30 15:35:59 UTC
Works again, with either openssh-4.3p2-10.1.el5 or openssh-4.3p2-13.fc7.  Thanks!

Comment 5 Tomas Mraz 2006-11-30 16:15:08 UTC
Well openssh-4.3p2-10.1.el5 doesn't contain the pam-session patch but
openssh-4.3p2-13.fc7 does so that's good. Thanks for testing.



Note You need to log in before you can comment on or make changes to this bug.