Bug 725797

Summary: pam_krb5 leaks ccache files when loging in through ssh
Product: [Fedora] Fedora Reporter: stefan.volkel.ext
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 13CC: ktdreyer, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: pam_krb5-2.3.13-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 733803 (view as bug list) Environment:
Last Closed: 2011-09-30 19:44:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 733803    
Attachments:
Description Flags
/var/log/secure
none
strace -f -p $PID_OF_SSHD none

Description stefan.volkel.ext 2011-07-26 15:25:02 UTC 
Description of problem:

Each time a user logs in and out again, one ccache file is left in /tmp.

Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.

Version-Release number of selected component (if applicable):

pam_krb5-2.3.11-4.fc13.i686


How reproducible:

Every time.

Steps to Reproduce:
1.Log in via SSH
2.Log out

  
Actual results:

one ccache file left in /tmp

Expected results:

no ccache file left in /tmp


Additional info:

FWIW, setting multiple_ccaches did not seem to have any effect.

The file left around was /tmp/krb5cc_10011_n0pEkv.

It seems like this file is created just before the session starts:

Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 10.46.208.226: 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05

However after the session ends, a different file is tried for deletion:

Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'

Which has been created just before /tmp/krb5cc_10011_n0pEkv.

Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:

17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
...
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
...
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)
Comment 1 stefan.volkel.ext 2011-07-26 15:25:44 UTC 
Created attachment 515305 [details]
/var/log/secure
Comment 2 stefan.volkel.ext 2011-07-26 15:26:36 UTC 
Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD
Comment 3 stefan.volkel.ext 2011-07-27 08:22:06 UTC 
FWIW, it seems that the file kept after logout is the one from KRB5CCNAME
Comment 4 Ken Dreyer 2011-08-26 22:19:48 UTC 
Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
Comment 5 Fedora Update System 2011-09-09 13:43:36 UTC 
pam_krb5-2.3.13-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pam_krb5-2.3.13-1.fc16
Comment 6 Fedora Update System 2011-09-09 15:09:36 UTC 
Package pam_krb5-2.3.13-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.3.13-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/pam_krb5-2.3.13-1.fc16
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-09-30 19:44:27 UTC 
pam_krb5-2.3.13-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.