Bug 1273271

Summary: klist/kdestroy is hiding active credential cache
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: krb5Assignee: Matt Rogers <mrogers>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.2CC: dpal, mkosek, pkis, rharwood
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.15.1-1.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 17:58:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2015-10-20 06:31:38 UTC 
Description of problem:
When using collection type of cache (like DIR or keyring) and kinit is done when having an active credentials cache, the old cache is not overwritten, but rather a new one is initiated.

Then, both active caches can be used for authentication. This is intended behavior and works well when "-A" option of klist/kdestroy is used to manipulate the caches. However, it is not intuitive and people used to file-based credential caches (which are being overwritten on next kinit) as they are simply not aware of cache still active "in the background":

1. kinit admin
2. authenticate to Kerberized web app (works fine - user admin)
3. kinit fbar
4. authenticate to Kerberized web app (works fine - user fbar)
5. kdestroy
6. klist (does not show any active cache)
7. authenticate to Kerberized web app - unexpectedly authenticates as admin again

Even this is expected, kdestroy/klist do not show any active cache:

$ kdestroy
$ klist
klist: Credentials cache keyring 'persistent:17127:krb_ccache_7qITFed'
not found
$ klist -A
klist: Credentials cache keyring 'persistent:17127:krb_ccache_tTQg0zv'
not found

Ticket cache: KEYRING:persistent:17127:krb_ccache_JZtZsq0
Default principal: admin

Valid starting       Expires              Service principal
10/19/2015 16:38:05  10/20/2015 16:38:03
krbtgt/EXAMPLE.COM

Version-Release number of selected component (if applicable):
krb5-1.13.2-10.el7

How reproducible:
Always

Steps to Reproduce:
1. See above

Actual results:
See above, current implementation may simply lead to security issues as expectations of people are not met.


Expected results:

It would be better to at least indicate that there is other active cache present:

$ klist
klist: Credentials cache keyring 'persistent:17127:krb_ccache_7qITFed'
not found
klist: Other credentials cache present, use "-A" for a full list

$ kdestroy
kdestroy: Other credentials cache present, use "-A" to destroy all
Comment 2 Patrik Kis 2015-12-09 12:37:18 UTC 
Maybe klist could display all caches by default, like klist -A. Just an idea.
Comment 10 Patrik Kis 2017-04-28 12:39:01 UTC 
I did a little testing and as it is indicated in the upstream PR (reference in comment 5), hint was added to kdestroy, but not to klist.

@ Martin, you filed this BZ, are ok with that? If yes, we can consider this request as fixed.


More details:

[root@rhel7]# rpm -q krb5-libs
krb5-libs-1.15.1-7.el7.x86_64
[root@rhel7]# 
[root@rhel7]# echo aaa |kinit alice
Password for alice: 
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_XrBKEoi
Default principal: alice

Valid starting       Expires              Service principal
04/28/2017 14:27:14  04/29/2017 14:27:14  krbtgt/ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# echo bbb | kinit bob
Password for bob: 
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_PgwlFMV
Default principal: bob

Valid starting       Expires              Service principal
04/28/2017 14:27:17  04/29/2017 14:27:17  krbtgt/ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# kdestroy 
Other credential caches present, use -A to destroy all
[root@rhel7]# klist 
klist: Credentials cache keyring 'persistent:0:krb_ccache_PgwlFMV' not found
[root@rhel7]# 
[root@rhel7]# kswitch -p alice
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_XrBKEoi
Default principal: alice

Valid starting       Expires              Service principal
04/28/2017 14:27:14  04/29/2017 14:27:14  krbtgt/ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# kdestroy 
[root@rhel7]# klist -A
[root@rhel7]# klist -l
Principal name                 Cache name
--------------                 ----------
[root@rhel7]#
Comment 14 Martin Kosek 2017-05-10 10:53:18 UTC 
(In reply to Patrik Kis from comment #10)
> I did a little testing and as it is indicated in the upstream PR (reference
> in comment 5), hint was added to kdestroy, but not to klist.
> 
> @ Martin, you filed this BZ, are ok with that? If yes, we can consider this
> request as fixed.

Sorry, I missed this update. Yes, this should help to prevent/fix the original issue I had. Thank you.
Comment 15 errata-xmlrpc 2017-08-01 17:58:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1891