[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI lib from Heimdal does not cleanup credentials in OpenSSH

Hello Simon,

Simon Wilkinson wrote:
> On 15 Feb 2007, at 19:37, Douglas E. Engert wrote:
>> Michal Prochazka wrote:
>>> Hello,
>>> I'm using OpenSSH 4.3p2 and it does not cleanup delegated kerberos
>>> tickets after user logout. OpenSSH is compiled with Heimdal 0.7.2. I
>>> tried OpenSSH to compile with MIT kerberos and it cleanups tickets.
>>> So the difference is only in gssapi library. I have searched mailing
>>> lists but nobody mentioned this problem, am I doing something wrong?
>> When you say cleanup tickets, I assume you mean the ticket cache.
>> Is this a PAM session problem? OpenSSH will call pam_close_session
>> and the pam_krb5 can cleanup the ticket cache.
> No - PAM doesn't (shouldn't?) get involved in cleaning up credentials it
> hasn't obtained. For the case of delegated credentials, as indicated by
> the original poster, OpenSSH does its own credentials cleanup.
> The exact code path followed here differs between MIT and Heimdal,
> however, as the interfaces provided are different.
> Firstly, just make sure that you have
> GSSAPICleanupCredentials yes
> set with both tests.

Yes I have.

> Then can you run sshd -d -d -d, and let me know what its output is when
> a session is closed, running with the Heimdal libraries.

Here is output of sshd when client logout:

debug1: Received SIGCHLD.
debug1: session_by_pid: pid 3655
debug1: session_exit_message: session 0 channel 0 pid 3655
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: output open -> closed
debug1: session_pty_cleanup: session 0 release /dev/pts/2
debug2: notify_done: reading
debug2: channel 0: read<=0 rfd 7 len -1
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: gc: notify user
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug2: channel 0: gc: user detached
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e -1 c -1
Connection closed by
debug1: do_cleanup
Closing connection to

And here is debug on client side after login:

debug1: temporarily_use_uid: 62233/100 (e=0/100)
debug1: restore_uid: 0/100
debug1: permanently_set_uid: 62233/100
debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_JG3655
  SSH_CLIENT= 3808 777
  SSH_CONNECTION= 3808 777
debug3: channel 0: close_fds r -1 w -1 e -1 c -1

Thanks in advance,

Michal Prochazka // michalp@ics.muni.cz

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ

S/MIME Cryptographic Signature