Hello Simon, Simon Wilkinson wrote: > > On 15 Feb 2007, at 19:37, Douglas E. Engert wrote: > >> >> >> Michal Prochazka wrote: >>> Hello, >>> I'm using OpenSSH 4.3p2 and it does not cleanup delegated kerberos >>> tickets after user logout. OpenSSH is compiled with Heimdal 0.7.2. I >>> tried OpenSSH to compile with MIT kerberos and it cleanups tickets. >>> So the difference is only in gssapi library. I have searched mailing >>> lists but nobody mentioned this problem, am I doing something wrong? >> >> When you say cleanup tickets, I assume you mean the ticket cache. >> >> Is this a PAM session problem? OpenSSH will call pam_close_session >> and the pam_krb5 can cleanup the ticket cache. > > No - PAM doesn't (shouldn't?) get involved in cleaning up credentials it > hasn't obtained. For the case of delegated credentials, as indicated by > the original poster, OpenSSH does its own credentials cleanup. > The exact code path followed here differs between MIT and Heimdal, > however, as the interfaces provided are different. > > Firstly, just make sure that you have > GSSAPICleanupCredentials yes > set with both tests. Yes I have. > Then can you run sshd -d -d -d, and let me know what its output is when > a session is closed, running with the Heimdal libraries. Here is output of sshd when client logout: debug1: Received SIGCHLD. debug1: session_by_pid: pid 3655 debug1: session_exit_message: session 0 channel 0 pid 3655 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: output open -> closed debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug2: notify_done: reading debug2: channel 0: read<=0 rfd 7 len -1 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: is dead debug2: channel 0: gc: notify user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug2: channel 0: gc: user detached debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e -1 c -1 Connection closed by 83.240.51.28 debug1: do_cleanup Closing connection to 83.240.51.28 And here is debug on client side after login: debug1: temporarily_use_uid: 62233/100 (e=0/100) debug1: restore_uid: 0/100 debug1: permanently_set_uid: 62233/100 debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_JG3655 Environment: KRB5CCNAME=FILE:/tmp/krb5cc_JG3655 USER=michalp LOGNAME=michalp HOME=/home/michalp PATH=/usr/bin:/bin:/usr/sbin:/sbin:/tmp/bin MAIL=/var/mail/michalp SHELL=/bin/bash SSH_CLIENT=83.240.51.28 3808 777 SSH_CONNECTION=83.240.51.28 3808 147.251.3.54 777 SSH_TTY=/dev/pts/2 TERM=xterm debug3: channel 0: close_fds r -1 w -1 e -1 c -1 Thanks in advance, Michal -- Michal Prochazka // michalp@ics.muni.cz Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ
S/MIME Cryptographic Signature