[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libpam-heimdal (1.2.0-1) credential cache naming problem



I have a problem with libpam-heimdal (current sid, 1.2.0-1) on a
client workstation running current sid, in that the credentials are
misplaced(?) when I log in via ssh (from other machines as well as
from the workstation itself.

The whole thing seems to work ok for local logins (kdm and console)
where credentials are obtained and placed in a file,
e.g. /tmp/krb5cc_abc123, and the value of the environment variable
KRB5CCNAME is set to the corresponding filename.

When I try to log in by ssh (sid, openssh 4.2) from the same machine
to itself, or from other machines, there is a credentials cache left
in /tmp, but it is owned by root:root and typically has a name
/tmp/krb5cc_pam_123abc. The environment variable KRB5CCNAME is present
but set to something totally different that is based on the uid and
another random 6-character string, e.g. krb5cc_1003_3khU54. The
credentials in the first file (owned by root) do indeed belong to the
user who tried to log in, as checked by root with klist -c on the
file.

At first I thought part of the problem was that I have my user
information in ldap, but I also tried to add a test user with password
disabled (added instead a principal for test@DOMAIN with password on
kdc). The same problem exist for this user when trying with ssh while
local logins work ok.

Of course one can do a kinit to create a cache in the file pointed to
by the KRB5CCNAME variable. This file is however not deleted on
logout, a kdestroy is necessary. The files owned by root containing
user credentials are not deleted at all it seems (how could they?).

I don't think this is a configuration issue, but if so, please
enlighten me.  If it is a bug, which part is broken, libpam-heimdal or
openssh? Or both?

I have also tried to obtain detailed logging, but didn't figure out
how to invoke _all_ logging statements in the source code of pam and
libpam-heimdal, only a few by adding the debug option at some places
in /etc/pam.d/common-*. How is this done properly?


Anders


P.S.

An interesting case is when I log in with valid kerberos-tokens over
ssh with gssapi. This works nicely and no password has to be typed,
but the KRB5CCNAME variable is set to a name base on the uid, for
example /tmp/krb5cc_1003, and no random string is attached, nor is
there any credentials even though the original ticket is supposedly
forwardable.

Credential cache files are subsequently deleted when logging out of
consoles, although not from kdm. This was supposedly fixed, see
#344927, but the problem seems to persist, I can reproduce it here.

According to pam_krb5(5), updated to 1.2.0, the intended naming of the
cache seems to be /tmp/krb5cc_[uid]_[random].



Reply to: