Bug 733803

Summary: pam_krb5 leaks ccache files when loging in through ssh
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: caguado, cott, ksrot, ktdreyer, nalin, prc, redhatbugs, redhat-bugzilla, stefan.volkel.ext
Target Milestone: rc   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: pam_krb5-2.3.11-7.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 725797 Environment:
Last Closed: 2011-12-06 17:36:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 720609, 725797    
Bug Blocks:    

Description Dmitri Pal 2011-08-26 22:46:55 UTC 
+++ This bug was initially created as a clone of Bug #725797 +++

Description of problem:

Each time a user logs in and out again, one ccache file is left in /tmp.

Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.

Version-Release number of selected component (if applicable):

pam_krb5-2.3.11-4.fc13.i686


How reproducible:

Every time.

Steps to Reproduce:
1.Log in via SSH
2.Log out

  
Actual results:

one ccache file left in /tmp

Expected results:

no ccache file left in /tmp


Additional info:

FWIW, setting multiple_ccaches did not seem to have any effect.

The file left around was /tmp/krb5cc_10011_n0pEkv.

It seems like this file is created just before the session starts:

Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 10.46.208.226: 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05

However after the session ends, a different file is tried for deletion:

Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'

Which has been created just before /tmp/krb5cc_10011_n0pEkv.

Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:

17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
...
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
...
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)

--- Additional comment from stefan.volkel.ext on 2011-07-26 11:25:44 EDT ---

Created attachment 515305 [details]
/var/log/secure

--- Additional comment from stefan.volkel.ext on 2011-07-26 11:26:36 EDT ---

Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD

--- Additional comment from stefan.volkel.ext on 2011-07-27 04:22:06 EDT ---

FWIW, it seems that the file kept after logout is the one from KRB5CCNAME

--- Additional comment from ktdreyer on 2011-08-26 18:19:48 EDT ---

Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
Comment 2 Nalin Dahyabhai 2011-08-30 18:30:37 UTC 
This'll probably turn out to be a duplicate of bug #720609.  It should already be fixed in Raw Hide.
Comment 3 stefan.volkel.ext 2011-09-05 07:56:26 UTC 
I can not access #720609:

You are not authorized to access bug #720609. 

I need to fix this on Fedora 13. Is there a patch available? Or an updated package? 

Or can you provide the details so that I can fix it myself?
Comment 4 Nalin Dahyabhai 2011-09-06 15:52:09 UTC 
Keep in that Fedora 13 has passed its end-of-life date, so there won't be an update there.  I just noticed that Raw Hide doesn't have 2.3.13 yet, so I'll be building it there soon.  As for Fedora 13, using 'rpmbuild -tb' to build the tarball from https://fedorahosted.org/releases/p/a/pam_krb5/ is probably the most expedient route, as the backported patch for EL6 assumes some other things that were backported before it.  The patches from the upstream repository are spread across these commits:
  627a0a4d8c502d51a5b6e6e9828d66ed6c519e45
  39ee8381f2daa1531a5c3fe126b5728a9b3d0d85
  7bd1c02177bfb9fc5ea57556b0ee9444004c373d
  b7248ee6253ba6fd900e3a93016e29184ec1f264
  7d00c3c1bf016dcd8c41d00eeebb065590906d44
  9215413e55f9425149ae954181d657fb81103888
Comment 7 Kai Mosebach 2011-09-08 12:20:18 UTC 
Happens here as well, RHEL 6.1 64bit

openssh-5.3p1-52.el6_1.2.x86_64
pam_krb5-2.3.11-6.el6.x86_64
Comment 10 Cott Lang 2011-11-24 14:11:16 UTC 
Ditto here

openssh-5.3p1-52.el6_1.2.x86_64
pam_krb5-2.3.11-6.el6.x86_64
Comment 11 caguado 2011-11-29 07:25:17 UTC 
On RHEL6/x86_64 with pam_krb5-2.3.11-6.el6.x86_64

The following has been observed:
- If the host has a corresponding /etc/krb5.keytab and user logs in using his TGT then logout is able to find and delete the file /tmp/krb5cc_UID_XXXXXX without further message.
- If user logs following the password challenge (no TGT), upon log out, pam_krb5 is not able to find the ccache file and consequently prints the error "error removing ccache 'FILE:/tmp/krb5cc_UID_YYYYYY'" Note that in this case, ccache file name searched for deletion on logout is different from the one created at login time and then remaining in /tmp.
Comment 12 errata-xmlrpc 2011-12-06 17:36:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1704.html