[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI lib from Heimdal does not cleanup credentials in OpenSSH



Hi,

I have to apologize because I discovered that the problem with the
cleanup of credentials is not in the heimdal gssapi library but in
the OpenSSH code. My OpenSSH with MIT gssapi library cleans
credentials correctly because it uses PAM. Version of OpenSSH 3.8
with gssapi auth without using the PAM does clean the credential but
OpenSSH from version 4.x it doesn't. I'm now trying to find where is
the difference.

Cheers,

Michal

Michal Prochazka wrote:
> Hello Simon,
> 
> Simon Wilkinson wrote:
>> On 15 Feb 2007, at 19:37, Douglas E. Engert wrote:
>>
>>>
>>> Michal Prochazka wrote:
>>>> Hello,
>>>> I'm using OpenSSH 4.3p2 and it does not cleanup delegated kerberos
>>>> tickets after user logout. OpenSSH is compiled with Heimdal 0.7.2. I
>>>> tried OpenSSH to compile with MIT kerberos and it cleanups tickets.
>>>> So the difference is only in gssapi library. I have searched mailing
>>>> lists but nobody mentioned this problem, am I doing something wrong?
>>> When you say cleanup tickets, I assume you mean the ticket cache.
>>>
>>> Is this a PAM session problem? OpenSSH will call pam_close_session
>>> and the pam_krb5 can cleanup the ticket cache.
>> No - PAM doesn't (shouldn't?) get involved in cleaning up credentials it
>> hasn't obtained. For the case of delegated credentials, as indicated by
>> the original poster, OpenSSH does its own credentials cleanup.
>> The exact code path followed here differs between MIT and Heimdal,
>> however, as the interfaces provided are different.
>>
>> Firstly, just make sure that you have
>> GSSAPICleanupCredentials yes
>> set with both tests.
> 
> Yes I have.
> 
>> Then can you run sshd -d -d -d, and let me know what its output is when
>> a session is closed, running with the Heimdal libraries.
> 
> Here is output of sshd when client logout:
> 
> debug1: Received SIGCHLD.
> debug1: session_by_pid: pid 3655
> debug1: session_exit_message: session 0 channel 0 pid 3655
> debug2: channel 0: request exit-status confirm 0
> debug1: session_exit_message: release channel 0
> debug2: channel 0: write failed
> debug2: channel 0: close_write
> debug2: channel 0: output open -> closed
> debug1: session_pty_cleanup: session 0 release /dev/pts/2
> debug2: notify_done: reading
> debug2: channel 0: read<=0 rfd 7 len -1
> debug2: channel 0: read failed
> debug2: channel 0: close_read
> debug2: channel 0: input open -> drain
> debug2: channel 0: ibuf empty
> debug2: channel 0: send eof
> debug2: channel 0: input drain -> closed
> debug2: channel 0: send close
> debug3: channel 0: will not send data after close
> debug2: channel 0: rcvd close
> debug3: channel 0: will not send data after close
> debug2: channel 0: is dead
> debug2: channel 0: gc: notify user
> debug1: session_by_channel: session 0 channel 0
> debug1: session_close_by_channel: channel 0 child 0
> debug1: session_close: session 0 pid 0
> debug2: channel 0: gc: user detached
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: server-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>   #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
> 
> debug3: channel 0: close_fds r -1 w -1 e -1 c -1
> Connection closed by 83.240.51.28
> debug1: do_cleanup
> Closing connection to 83.240.51.28
> 
> And here is debug on client side after login:
> 
> debug1: temporarily_use_uid: 62233/100 (e=0/100)
> debug1: restore_uid: 0/100
> debug1: permanently_set_uid: 62233/100
> debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_JG3655
> Environment:
>   KRB5CCNAME=FILE:/tmp/krb5cc_JG3655
>   USER=michalp
>   LOGNAME=michalp
>   HOME=/home/michalp
>   PATH=/usr/bin:/bin:/usr/sbin:/sbin:/tmp/bin
>   MAIL=/var/mail/michalp
>   SHELL=/bin/bash
>   SSH_CLIENT=83.240.51.28 3808 777
>   SSH_CONNECTION=83.240.51.28 3808 147.251.3.54 777
>   SSH_TTY=/dev/pts/2
>   TERM=xterm
> debug3: channel 0: close_fds r -1 w -1 e -1 c -1
> 
> 
> Thanks in advance,
> 
> Michal

S/MIME Cryptographic Signature