Description of problem: OpenSSH 4.3p2-7 adds a patch which moves PAM session management from the child process to the monitor when privilege separation is enabled. It is still the child which stores forwarded credentials when GSSAPI authentication is used, though, so the PAM session module no longer has access to those credentials. Version-Release number of selected component (if applicable): 4.3p2-7 How reproducible: Always Steps to Reproduce: 1. Configure pam_krb5 with the "external=sshd" option. 2. Configure syslog to log "debug" priority messages somewhere. 3. Attempt to log in using both GSSAPI authentication and credential delegation. Actual results: pam_krb5 logs that during pam_open_session, $KRB5CCNAME has not been set. (I can log in, but my AFS-based home directory is not accessible.) Expected results: pam_krb5 should find valid credentials in the location pointed to by $KRB5CCNAME so that it can use them to obtain AFS tokens. Additional info: This also affects pam_afs2 and pam_openafs_session. More discussion on how those modules work can be found in the thread at http://lists.openafs.org/pipermail/openafs-info/2005-April/017512.html
Nalin, do you have any ideas how to fix that other than removing the mentioned patch? I think that the only solution which would also completely fix the http://bugzilla.mindrot.org/show_bug.cgi?id=926 would be to leave the pam calls where they are and add another fork before the setuid calls and exec of the shell. For now I will probably remove the mentioned patch.
I removed the problematic patch.
Nalin, could you please try openssh-4.3p2-13.fc7 from rawhide? It contains improved pam-session patch which should not cause this bug anymore.
Works again, with either openssh-4.3p2-10.1.el5 or openssh-4.3p2-13.fc7. Thanks!
Well openssh-4.3p2-10.1.el5 doesn't contain the pam-session patch but openssh-4.3p2-13.fc7 does so that's good. Thanks for testing.