Bug 1055016

Summary: GSSAPICleanupCredentials must default to 'no' when using persistent keys
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 20CC: mattias.ellert, mgrepl, mvermaes, plautrba, tmraz
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-6.4p1-4.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-21 23:23:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Enrico Scholz 2014-01-18 00:46:17 UTC 
Description of problem:

Removing GSSAPI credentials on logout causes severe system because Fedora 20 uses persistent GSSAPI keys.  These keys are shared between sessions so exiting one session will remove unrelated GSSAPI credentials of other sessions.  This renders the system unusable because e.g. access to NFS4 blocks or login tasks fail.

The GSSAPICleanupCredentials must be set to no hence.

Things worked well in previous Fedora versions because persistent GSSAPI keys were not used there.


Version-Release number of selected component (if applicable):

openssh-6.4p1-3.fc20.x86_64
Comment 1 Tomas Mraz 2014-01-30 18:20:06 UTC 
Perhaps there should be proper reference counting on the shared persistent keys done by the kerberos library. However until this is implemented setting 'GSSAPICleanupCredentials no' is a reasonable workaround.
Comment 2 Fedora Update System 2014-05-15 14:02:02 UTC 
openssh-6.4p1-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openssh-6.4p1-4.fc20
Comment 3 Fedora Update System 2014-05-16 10:03:06 UTC 
Package openssh-6.4p1-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6380/openssh-6.4p1-4.fc20
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-05-21 23:23:28 UTC 
openssh-6.4p1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.