Bug#612413: openssh-server: Kerberos cred cache not cleaned up after failed authorisation by PAM
Package: openssh-server
Version: 1:5.5p1-6
Severity: normal
Normally the Kerberos credential cache is cleaned up after a user logs out and the SSH session closes. My assumption is that this behaviour is caused by the settings in /etc/ssh/sshd_config below:
KerberosTicketCleanup yes
GSSAPICleanupCredentials yes
However, I found a case in which the credential cache is NOT cleaned up. This happens when a user successfully authenticates with Kerberos/GSSAPI, but authorisation fails while processing PAM account settings.
This is what happens on the client:
$ ssh user@host
user@host's password:
LDAP authorisation check failed
Connection closed by 10.0.10.10
On the server you'll see a credential cache file that has been created:
# ls -l /tmp/*1400400*
-rw------- 1 user user 507 Feb 8 10:40 krb5cc_1400400_wGxWcnG143
But it will never be removed...
Conclusion: clean up of credential caches works, but not in case PAM account fails.
I don't know whether this is an upstream issue. I couldn't find any configuration settings I'm missing. My guess is that sshd doesn't know about the failed authorisation by PAM and thus doesn't invoke the clean up process. Remember that the authentication that happens on SSH-level WAS successful, which might sshd letting think that it's a successful login, so no clean up needed.
Thanks for looking at this issue.
-- System Information:
Debian Release: 6.0
APT prefers squeeze-updates
APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii dpkg 1.15.8.9 Debian package management system
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8o-4 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-6 secure shell (SSH) client, for sec
ii procps 1:3.2.8-9 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
pn openssh-blacklist-extra <none> (no description available)
pn xauth <none> (no description available)
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
pn ufw <none> (no description available)
-- debconf information:
* ssh/use_old_init_script: true
ssh/vulnerable_host_keys:
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: