Red Hat Bugzilla – Bug 619726
vsftpd with Kerberos doesn't clean up Credentials Cache
Last modified: 2014-11-09 17:33:23 EST
Description of problem:
When you ftp to a machine running vsftpd that uses krb5 authentication through PAM it generates a TGT credentials cache in /tmp. As expected. But this never gets removed when the ftp session ends.
This means /tmp gets very full of (tens of) thousands of krb5cc files on a busy server.
Version-Release number of selected component (if applicable):
All versions (including RHEL 4)
(but interestingly seems to not happen on F13 using SSSD)
Steps to Reproduce:
1.ftp to server and login as a kerberos user.
2.Examine the server's /tmp directory for new krb5cc_ file for this user
3.Log out of FTP
4.Check /tmp for the new krb5cc file and observer that it's still there
The credentials cache gets removed at the end of the FTP session.
It's not like ftpd can just throw away it's credentials cache on login, as it's possible (I guess) it may need to access say NFSv4 directories requiring krb5 authentication.
I suppose this maybe hard to fix if vsftp has chrooted, can't remember if it does in a non-anonymous login?
A further wrinkle, on certain FTP clients that start lots of parallel sessions you end up with log entries on the KDC:
Jul 30 10:38:31 cslu2ux01 krb5kdc(info): DISPATCH: repeated (retransmitted?) request from 10.100.53.144, resending previous response
, but I guess this is just expected.
F13 not doing this with SSSD, I'd imagine points to the ultimate solution to this in later RHEL's (i.e. 6) using a smarter back end.
Please, configure session_support option in the vsftpd.conf:
yup that seems to work.