1035254 – ssh client does not use primary ccache of a Kerberos ccache collection

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1035254 - ssh client does not use primary ccache of a Kerberos ccache collection

Summary: ssh client does not use primary ccache of a Kerberos ccache collection

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1034958
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-27 11:42 UTC by Sumit Bose
Modified:	2014-07-29 20:25 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-29 20:25:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sumit Bose 2013-11-27 11:42:51 UTC

Description of problem:

If a Kerberos credential cache collection is used the ssh client does not use the current primary credential cache but pick a different one:

[root@vm-197 ~]# kdestroy -A
[root@vm-197 ~]# klist -A
[root@vm-197 ~]# kinit admin
Password for admin: 
[root@vm-197 ~]# kinit Administrator
Password for Administrator: 
[root@vm-197 ~]# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl
Default principal: Administrator

Valid starting       Expires              Service principal
27.11.2013 11:25:23  27.11.2013 21:25:23  krbtgt/SUBDOM.SUB
	renew until 28.11.2013 11:25:16
[root@vm-197 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
Administrator       DIR::/run/user/0/krb5cc/tktLm9rKl
admin              DIR::/run/user/0/krb5cc/tktk9sv02
[root@vm-197 ~]# ssh -l Administrator vm-197.idm.lab.eng.brq.redhat.com
Administrator@vm-197.idm.lab.eng.brq.redhat.com's password: 

[root@vm-197 ~]# klist -A
Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl
Default principal: Administrator

Valid starting       Expires              Service principal
27.11.2013 11:25:23  27.11.2013 21:25:23  krbtgt/SUBDOM.SUB
	renew until 28.11.2013 11:25:16

Ticket cache: DIR::/run/user/0/krb5cc/tktk9sv02
Default principal: admin

Valid starting       Expires              Service principal
27.11.2013 11:25:18  28.11.2013 11:25:16  krbtgt/IPASB.SBOSE
27.11.2013 11:25:48  28.11.2013 11:25:16  host/vm-197.idm.lab.eng.brq.redhat.com



The host ticket is obtained for admin although Administrator is the primary one and should be used in this case.


 

Version-Release number of selected component (if applicable):
openssh-6.2p2-6.fc19  (looks like newer versions in F20 and F21 are affected as well)



Actual results:
Wrong ccache is used by ssh client

Expected results:
ssh client should use the primary credential cache in a credential cahce collection.

Additional info:
I rebuild openssh-6.4p1-2 from F20 on the same F19 host and found the same issue. So it looks that newer version of openssh are affected as well.

Comment 1 Alexander Bokovoy 2013-11-27 17:22:59 UTC

I've done some dicussion with Simo and he pointed out that this is expected behavior for Kerberos credentials cache collections as described at http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection

What we need to do is to convert this bug into documentation bug for Kerberos. At the very least, this change of the behavior due to introduction of the ccache collections should go to release notes (Fedora 20 and RHEL7).

We'll track it at bug #1034958 for RHEL7. This bug can be used to track it for Fedora.

Comment 2 Alexander Bokovoy 2013-11-27 17:24:26 UTC

wrong component.

Comment 3 Martin Kosek 2013-11-28 11:24:36 UTC

(In reply to Alexander Bokovoy from comment #1)
> What we need to do is to convert this bug into documentation bug for
> Kerberos. At the very least, this change of the behavior due to introduction
> of the ccache collections should go to release notes (Fedora 20 and RHEL7).

What documentation do you plan to extend? FreeIPA User Guide? Or Kerberos documentation? This issue does not seem FreeIPA-specific to me, so I rather ask.

Comment 4 Alexander Bokovoy 2013-11-28 11:44:50 UTC

Three places:

- Kerberos documentation, making clear how cache collections work.
- FreeIPA guide, AD trusts chapter, making clear how ccache collections affect cross-realm operations.
- Release notes of the product, pointing to Kerberos documentation changes.

Comment 5 Martin Kosek 2013-11-28 12:13:35 UTC

Makes sense. Feel free to clone this Bugzilla also to other components of the product.

Comment 6 Martin Kosek 2013-12-03 09:49:47 UTC

I see no response, moving to documentation component myself.

Comment 8 Deon Ballard 2014-07-29 20:22:47 UTC

Mass closure. These bugs were live in RHEL 6.5.

Note You need to log in before you can comment on or make changes to this bug.