Bug#648155: Will this patch be applied?
Hi,
The current behavior of kerberized NFS makes life difficult for us
where I work. Here's what happens:
1. User logs in with SSH, gets Kerberos ticket to access her home
directory (through pam_krb5 or GSSAPI delegated credentials).
2. User logs out, but the ticket is not removed from /tmp for some
reason. Or maybe the user just leaves the terminal window open and
never logs out.
3. Ticket expires.
4. User tries to log in again with SSH.
5. sshd impersonates user and tries to read files in
her home directory, like ~/.ssh/authorized_keys.
6. sshd hangs because the kernel is waiting for the expired ticket to
be renewed.
The old behaviour used to be:
6a. sshd gets EACCES trying to open the file and gives
up. Authentication continues, user gets a ticket, etc.
We can't disable public key authentication either, because we need it
for a backup script. Besides, there might be more code trying to read
files in the user's home directory before the user has a ticket.
The patch appears to solve the issue, although it is not ideal to have
to add an option to gssd. At least it's much better than having to
patch it.
It seems that upstream doesn't want to apply the patch. But what to
do, then? Clearly something is wrong here, although I can't say whose
fault it is. The old behaviour worked much better.
Any suggestions?
--
Pelle
Reply to: