[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)


On Jun 6, 2012, at 5:40 PM, Russ Allbery wrote:
> Aha!  Do you have the keytab PAM option set either in the PAM
> configuration or in krb5.conf?

I don't believe we do, unless it's getting called subtly from something else. Below is our regular krb5.conf in case it's helpful. Our PAM setup uses the standard Debian pam-auth-update lines for use with Kerberos, plenty of invocations of "pam_krb5.so minimum_uid=1000", but no use of the keytab option. Our host entries live in the default /etc/krb5.keytab, I don't think we've had a reason to use keytab.

> MIT Kerberos appears to have a bug where krb5_verify_init_creds
> unconditionally frees the server krb5_principal argument even if it was
> passed in by the caller, resulting in a double-free in the pam-krb5 module
> when the keytab option is set.

That definitely sounds like our problem, though I'm not sure how we're running into it. 

> This bug appears to have been introduced in commit
> caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 which was applied as a patch in
> the krb5 package in Debian even though that change wasn't in 1.10.1.  It
> looks like that bug isn't in any released version of Kerberos, but the
> Debian package will need a new release to fix it.  I'll copy Sam so that
> he's aware and also file an upstream bug.

That is in fact our problem! I rebuilt the Debian krb5 with that patch backed out and sure enough, we're in business with password authentication once again. Now we only have the minor mystery of how the double-free is occurring in our case.

Thanks much for your help today,

-- krb5.conf:

        pam = {
                EXAMPLE.COM = {
                        banner = Custom password change banner

	default_realm = EXAMPLE.COM

# needed to make NFS behave
	allow_weak_crypto = true

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		plain = {
			something = something-else
	fcc-mit-ticketflags = true

		kdc = kdc2.example.com
		kdc = kdc1.example.com
		admin_server = kdc2.example.com

	.example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

	krb4_convert = true
	krb4_get_tickets = false

Reply to: