Bug 725797 - pam_krb5 leaks ccache files when loging in through ssh
pam_krb5 leaks ccache files when loging in through ssh
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
i686 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
Depends On:
Blocks: 733803
  Show dependency treegraph
Reported: 2011-07-26 11:25 EDT by stefan.volkel.ext
Modified: 2011-09-30 15:44 EDT (History)
2 users (show)

See Also:
Fixed In Version: pam_krb5-2.3.13-1.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 733803 (view as bug list)
Last Closed: 2011-09-30 15:44:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/secure (20.04 KB, application/octet-stream)
2011-07-26 11:25 EDT, stefan.volkel.ext
no flags Details
strace -f -p $PID_OF_SSHD (3.25 MB, application/octet-stream)
2011-07-26 11:26 EDT, stefan.volkel.ext
no flags Details

  None (edit)
Description stefan.volkel.ext 2011-07-26 11:25:02 EDT
Description of problem:

Each time a user logs in and out again, one ccache file is left in /tmp.

Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.

Version-Release number of selected component (if applicable):


How reproducible:

Every time.

Steps to Reproduce:
1.Log in via SSH
2.Log out

Actual results:

one ccache file left in /tmp

Expected results:

no ccache file left in /tmp

Additional info:

FWIW, setting multiple_ccaches did not seem to have any effect.

The file left around was /tmp/krb5cc_10011_n0pEkv.

It seems like this file is created just before the session starts:

Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05

However after the session ends, a different file is tried for deletion:

Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'

Which has been created just before /tmp/krb5cc_10011_n0pEkv.

Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:

17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)
Comment 1 stefan.volkel.ext 2011-07-26 11:25:44 EDT
Created attachment 515305 [details]
Comment 2 stefan.volkel.ext 2011-07-26 11:26:36 EDT
Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD
Comment 3 stefan.volkel.ext 2011-07-27 04:22:06 EDT
FWIW, it seems that the file kept after logout is the one from KRB5CCNAME
Comment 4 Ken Dreyer 2011-08-26 18:19:48 EDT
Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
Comment 5 Fedora Update System 2011-09-09 09:43:36 EDT
pam_krb5-2.3.13-1.fc16 has been submitted as an update for Fedora 16.
Comment 6 Fedora Update System 2011-09-09 11:09:36 EDT
Package pam_krb5-2.3.13-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.3.13-1.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-09-30 15:44:27 EDT
pam_krb5-2.3.13-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.