Bug 974096
Summary: | Kerberos ticket forwarding does not work if /tmp is polyinstantiated | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Pazdziora <jpazdziora> | ||||
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> | ||||
Status: | CLOSED ERRATA | QA Contact: | Lukas "krteknet" Novy <lnovy> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.4 | CC: | ebenes, ksrot, lnovich, lnovy, mvadkert, pvrabec | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
If the /tmp directory of the target user was polyinstantiated, no credentials
cache was found on the remote machine.
Fix:
The cache is now recreated in a new /tmp after pam session is initiated.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1083495 (view as bug list) | Environment: | |||||
Last Closed: | 2013-11-21 09:46:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jan Pazdziora
2013-06-13 12:15:59 UTC
Created attachment 760670 [details]
fixed openssh-5.3p1-gsskex.patch
It's possible to store krb5 credentials after a pam session is created. This patch changes the order. Instead of ssh_gssapi_storecreds(); ssh_selinux_setup_exec_context(); do_pam_session() it has moved ssh_gssapi_storecreds(); to the end of chain.
There's a possible workaround using pam_exec which could be set to wrap up pam_namespace in the pam configuration. A script could copy the cache out of /tmp before pam_namespace is run, and copy back the cache after pam namespace set a new /tmp. Something similar to: snip pam config: session optional pam_exec.so /etc/security/namespace.d/kerberos session required pam_namespace.so session optional pam_exec.so /etc/security/namespace.d/kerberos 1 # cat /etc/security/namespace.d/kerberos #!/bin/bash if [ -z "$KRB5CCNAME" ]; then exit 0 fi CCNAME=${KRB5CCNAME#FILE:} if [ ${CCNAME#/tmp} == ${CCNAME} ]; then exit 0 fi if [ $# -eq 0 ]; then tar cvf /var/tmp/krbcc/${CCNAME//\//-}.tar $CCNAME rm -rf ${CCNAME} exit 0 fi if [ $# -eq 1 ]; then tar -C / -x -v -p -f /var/tmp/krbcc/${CCNAME//\//-}.tar rm /var/tmp/krbcc/${CCNAME//\//-}.tar exit 0 fi An update pushed with a fix based on https://bugzilla.redhat.com/show_bug.cgi?id=987792#c6 suggestion Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1591.html |