Bug 619726 - vsftpd with Kerberos doesn't clean up Credentials Cache
Summary: vsftpd with Kerberos doesn't clean up Credentials Cache
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vsftpd   
(Show other bugs)
Version: 5.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Jiri Skala
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-30 10:24 UTC by Colin.Simpson
Modified: 2018-11-27 19:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-04 14:02:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Colin.Simpson 2010-07-30 10:24:42 UTC
Description of problem:
When you ftp to a machine running vsftpd that uses krb5 authentication through PAM it generates a TGT credentials cache in /tmp. As expected. But this never gets removed when the ftp session ends. 

This means /tmp gets very full of (tens of) thousands of krb5cc files on a busy server.

Version-Release number of selected component (if applicable):
All versions (including RHEL 4)
(but interestingly seems to not happen on F13 using SSSD)

How reproducible:
Every time

Steps to Reproduce:
1.ftp to server and login as a kerberos user.
2.Examine the server's /tmp directory for new krb5cc_ file for this user
3.Log out of FTP
4.Check /tmp for the new krb5cc file and observer that it's still there
Expected results:
The credentials cache gets removed at the end of the FTP session.

Additional info:
It's not like ftpd can just throw away it's credentials cache on login, as it's possible (I guess) it may need to access say NFSv4 directories requiring krb5 authentication. 

I suppose this maybe hard to fix if vsftp has chrooted, can't remember if it does in a non-anonymous login?

A further wrinkle, on certain FTP clients that start lots of parallel sessions you end up with log entries on the KDC:

Jul 30 10:38:31 cslu2ux01 krb5kdc[5037](info): DISPATCH: repeated (retransmitted?) request from, resending previous response

, but I guess this is just expected. 

F13 not doing this with SSSD, I'd imagine points to the ultimate solution to this in later RHEL's (i.e. 6) using a smarter back end.

Comment 1 Jiri Skala 2010-08-04 14:02:15 UTC
Please, configure session_support option in the vsftpd.conf:


Comment 2 Colin.Simpson 2010-08-04 14:33:03 UTC
yup that seems to work. 


Note You need to log in before you can comment on or make changes to this bug.