Bug 1015559 - ksu ignores credentials stored in cache collections
ksu ignores credentials stored in cache collections
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Patrik Kis
http://krbdev.mit.edu/rt/Ticket/Displ...
: Regression
: 1030002 (view as bug list)
Depends On:
Blocks: 854406
  Show dependency treegraph
 
Reported: 2013-10-04 09:50 EDT by Patrik Kis
Modified: 2014-06-17 21:07 EDT (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.11.3-33.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:53:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2013-10-04 09:50:42 EDT
Description of problem:
Maybe this issue is caused by the not yet implemented kernel keyring cache, but rather file it to be sure.

Version-Release number of selected component (if applicable):
krb5-1.11.3-21.el7

How reproducible:
always

Steps to Reproduce:
1. Create a kdc principals:
# kdb5_util -s create
...
# kadmin.local
kadmin.local:  ank alice
...
kadmin.local:  ank -randkey host/rhel7.pkis.net
...
kadmin.local:  ktadd host/rhel7.pkis.net
...
kadmin.local:  q
#
# useradd alice
# useradd bob
# service krb5kdc start
...

2. Allow alice to use ksu
# su - alice
$ echo 'alice@EXAMPLE.COM' >.k5login
$ exit

3. Try ksu
# su - bob
$ kinit alice
Password for alice@EXAMPLE.COM: 
$ klist 
Ticket cache: KEYRING:persistent:1001:1001
Default principal: alice@EXAMPLE.COM

Valid starting       Expires              Service principal
10/04/2013 15:47:59  10/05/2013 15:47:59  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 10/04/2013 15:47:59
$ ksu alice
WARNING: Your password may be exposed if you enter it here and are logged 
         in remotely using an unsecure (non-encrypted) channel. 
Kerberos password for alice@EXAMPLE.COM: : 
No password given
Authentication failed.


Actual results:
ksu does not work as expected

Expected results:
ksu works as in RHEL-6:
[bob@rhel6 ~]$ ksu alice
Authenticated alice@EXAMPLE.COM
Account alice: authorization for alice@EXAMPLE.COM successful
Changing uid to alice (500)
[alice@rhel6 bob]$ id
uid=500(alice) gid=500(alice) groups=500(alice) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Additional info:
Comment 2 Nalin Dahyabhai 2013-10-16 16:50:32 EDT
While this is still being worked on, please include the versions of keyutils and the running kernel, as they affect what's going on underneath Kerberos.

As of 3.10.0-34.el7, I don't see a 'big_key' kernel module and 'keyctl get_persistent @s `id -u`' fails with an "operation not supported" error, so the kernel-side bits apparently aren't there yet.

This is a different bug, though, due in part to patches we added to ksu way back when FILE ccaches were the norm.
Comment 3 Patrik Kis 2013-10-17 10:48:08 EDT
I reproduced the issue on my updated RHEL-7 box with there packages:

# rpm -qa krb5\* kernel keyutils
krb5-appl-clients-1.0.3-7.el7.x86_64
keyutils-1.5.8-1.el7.x86_64
kernel-3.10.0-34.el7.x86_64
krb5-debuginfo-1.11.3-24.el7.x86_64
krb5-server-1.11.3-24.el7.x86_64
krb5-workstation-1.11.3-24.el7.x86_64
krb5-appl-servers-1.0.3-7.el7.x86_64
krb5-server-ldap-1.11.3-24.el7.x86_64
krb5-devel-1.11.3-24.el7.x86_64
krb5-libs-1.11.3-24.el7.x86_64
Comment 4 Nalin Dahyabhai 2013-10-18 10:20:06 EDT
ksu doesn't seem to understand credential cache collections when it attempts to copy your credentials from them to a temporary, to perform ticket-based authentication.  There's one check that we could change that would make it work again, but the code still assumes that a "FILE" cache is being used in enough places that I'm uneasy calling that a proper fix.  I've opened an upstream ticket to solicit some advice.
Comment 8 Nalin Dahyabhai 2013-11-07 08:42:22 EST
Changes proposed upstream, adding current in-progress version of the fixes to krb5-1.11.3-30.el7.  We'll probably need to revise them, but in the meantime we can get some testing.
Comment 11 Patrik Kis 2013-11-13 09:42:34 EST
Hi Nalin,

I'm not sure if this issue is related but ksu still does not work is the target is root. The scenario below is working on RHEL-6.
BTW, the originally reported issue is working.

# echo Ariel@ZMRAZ.COM > /root/.k5login
# echo Ariel@ZMRAZ.COM > /home/Ariel/.k5login
#
# su - ktest
Last login: Wed Nov 13 09:31:01 EST 2013 on pts/0
$ 
$ kinit Ariel
Password for Ariel@ZMRAZ.COM: 
$ klist 
Ticket cache: KEYRING:persistent:1006:1006
Default principal: Ariel@ZMRAZ.COM

Valid starting       Expires              Service principal
11/13/2013 09:39:36  11/14/2013 09:39:36  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/13/2013 09:39:36
$
$ ksu Ariel -e /bin/id
Authenticated Ariel@ZMRAZ.COM
Account Ariel: authorization for Ariel@ZMRAZ.COM for execution of
               /bin/id successful
Changing uid to Ariel (1005)
uid=1005(Ariel) gid=1005(Ariel) groups=1005(Ariel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$
$ ksu -e /bin/id
account root: authorization failed
$
Comment 12 Patrik Kis 2013-11-13 11:44:43 EST
The case above was opened as new bug 1030002
Comment 13 Nalin Dahyabhai 2013-11-13 17:47:10 EST
It turns out that, contrary to my initial diagnosis, it's actually part of this bug that I missed the first couple of revisions - marking #1030002 as a duplicate of this one.
Comment 14 Nalin Dahyabhai 2013-11-13 17:49:12 EST
*** Bug 1030002 has been marked as a duplicate of this bug. ***
Comment 18 Ludek Smid 2014-06-13 05:53:09 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.