Bug 1273271 - klist/kdestroy is hiding active credential cache
klist/kdestroy is hiding active credential cache
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.2
Unspecified Unspecified
low Severity unspecified
: rc
: ---
Assigned To: Matt Rogers
Patrik Kis
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 02:31 EDT by Martin Kosek
Modified: 2017-08-01 13:58 EDT (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.15.1-1.el7
Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 13:58:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2015-10-20 02:31:38 EDT
Description of problem:
When using collection type of cache (like DIR or keyring) and kinit is done when having an active credentials cache, the old cache is not overwritten, but rather a new one is initiated.

Then, both active caches can be used for authentication. This is intended behavior and works well when "-A" option of klist/kdestroy is used to manipulate the caches. However, it is not intuitive and people used to file-based credential caches (which are being overwritten on next kinit) as they are simply not aware of cache still active "in the background":

1. kinit admin
2. authenticate to Kerberized web app (works fine - user admin)
3. kinit fbar
4. authenticate to Kerberized web app (works fine - user fbar)
5. kdestroy
6. klist (does not show any active cache)
7. authenticate to Kerberized web app - unexpectedly authenticates as admin again

Even this is expected, kdestroy/klist do not show any active cache:

$ kdestroy
$ klist
klist: Credentials cache keyring 'persistent:17127:krb_ccache_7qITFed'
not found
$ klist -A
klist: Credentials cache keyring 'persistent:17127:krb_ccache_tTQg0zv'
not found

Ticket cache: KEYRING:persistent:17127:krb_ccache_JZtZsq0
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
10/19/2015 16:38:05  10/20/2015 16:38:03
krbtgt/EXAMPLE.COM@EXAMPLE.COM

Version-Release number of selected component (if applicable):
krb5-1.13.2-10.el7

How reproducible:
Always

Steps to Reproduce:
1. See above

Actual results:
See above, current implementation may simply lead to security issues as expectations of people are not met.


Expected results:

It would be better to at least indicate that there is other active cache present:

$ klist
klist: Credentials cache keyring 'persistent:17127:krb_ccache_7qITFed'
not found
klist: Other credentials cache present, use "-A" for a full list

$ kdestroy
kdestroy: Other credentials cache present, use "-A" to destroy all
Comment 2 Patrik Kis 2015-12-09 07:37:18 EST
Maybe klist could display all caches by default, like klist -A. Just an idea.
Comment 10 Patrik Kis 2017-04-28 08:39:01 EDT
I did a little testing and as it is indicated in the upstream PR (reference in comment 5), hint was added to kdestroy, but not to klist.

@ Martin, you filed this BZ, are ok with that? If yes, we can consider this request as fixed.


More details:

[root@rhel7]# rpm -q krb5-libs
krb5-libs-1.15.1-7.el7.x86_64
[root@rhel7]# 
[root@rhel7]# echo aaa |kinit alice
Password for alice@ZMRAZ.COM: 
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_XrBKEoi
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
04/28/2017 14:27:14  04/29/2017 14:27:14  krbtgt/ZMRAZ.COM@ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# echo bbb | kinit bob
Password for bob@ZMRAZ.COM: 
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_PgwlFMV
Default principal: bob@ZMRAZ.COM

Valid starting       Expires              Service principal
04/28/2017 14:27:17  04/29/2017 14:27:17  krbtgt/ZMRAZ.COM@ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# kdestroy 
Other credential caches present, use -A to destroy all
[root@rhel7]# klist 
klist: Credentials cache keyring 'persistent:0:krb_ccache_PgwlFMV' not found
[root@rhel7]# 
[root@rhel7]# kswitch -p alice
[root@rhel7]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_XrBKEoi
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
04/28/2017 14:27:14  04/29/2017 14:27:14  krbtgt/ZMRAZ.COM@ZMRAZ.COM
[root@rhel7]# 
[root@rhel7]# kdestroy 
[root@rhel7]# klist -A
[root@rhel7]# klist -l
Principal name                 Cache name
--------------                 ----------
[root@rhel7]#
Comment 14 Martin Kosek 2017-05-10 06:53:18 EDT
(In reply to Patrik Kis from comment #10)
> I did a little testing and as it is indicated in the upstream PR (reference
> in comment 5), hint was added to kdestroy, but not to klist.
> 
> @ Martin, you filed this BZ, are ok with that? If yes, we can consider this
> request as fixed.

Sorry, I missed this update. Yes, this should help to prevent/fix the original issue I had. Thank you.
Comment 15 errata-xmlrpc 2017-08-01 13:58:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1891

Note You need to log in before you can comment on or make changes to this bug.