RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 733803 - pam_krb5 leaks ccache files when loging in through ssh
Summary: pam_krb5 leaks ccache files when loging in through ssh
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_krb5
Version: 6.1
Hardware: i686
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 720609 725797
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-26 22:46 UTC by Dmitri Pal
Modified: 2016-08-23 16:05 UTC (History)
9 users (show)

Fixed In Version: pam_krb5-2.3.11-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 725797
Environment:
Last Closed: 2011-12-06 17:36:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1704 0 normal SHIPPED_LIVE pam_krb5 bug fix update 2011-12-06 01:02:31 UTC

Description Dmitri Pal 2011-08-26 22:46:55 UTC 
+++ This bug was initially created as a clone of Bug #725797 +++

Description of problem:

Each time a user logs in and out again, one ccache file is left in /tmp.

Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.

Version-Release number of selected component (if applicable):

pam_krb5-2.3.11-4.fc13.i686


How reproducible:

Every time.

Steps to Reproduce:
1.Log in via SSH
2.Log out

  
Actual results:

one ccache file left in /tmp

Expected results:

no ccache file left in /tmp


Additional info:

FWIW, setting multiple_ccaches did not seem to have any effect.

The file left around was /tmp/krb5cc_10011_n0pEkv.

It seems like this file is created just before the session starts:

Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 10.46.208.226: 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05

However after the session ends, a different file is tried for deletion:

Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'

Which has been created just before /tmp/krb5cc_10011_n0pEkv.

Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:

17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
...
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
...
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)

--- Additional comment from stefan.volkel.ext on 2011-07-26 11:25:44 EDT ---

Created attachment 515305 [details]
/var/log/secure

--- Additional comment from stefan.volkel.ext on 2011-07-26 11:26:36 EDT ---

Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD

--- Additional comment from stefan.volkel.ext on 2011-07-27 04:22:06 EDT ---

FWIW, it seems that the file kept after logout is the one from KRB5CCNAME

--- Additional comment from ktdreyer on 2011-08-26 18:19:48 EDT ---

Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
Comment 2 Nalin Dahyabhai 2011-08-30 18:30:37 UTC 
This'll probably turn out to be a duplicate of bug #720609.  It should already be fixed in Raw Hide.
Comment 3 stefan.volkel.ext 2011-09-05 07:56:26 UTC 
I can not access #720609:

You are not authorized to access bug #720609. 

I need to fix this on Fedora 13. Is there a patch available? Or an updated package? 

Or can you provide the details so that I can fix it myself?
Comment 4 Nalin Dahyabhai 2011-09-06 15:52:09 UTC 
Keep in that Fedora 13 has passed its end-of-life date, so there won't be an update there.  I just noticed that Raw Hide doesn't have 2.3.13 yet, so I'll be building it there soon.  As for Fedora 13, using 'rpmbuild -tb' to build the tarball from https://fedorahosted.org/releases/p/a/pam_krb5/ is probably the most expedient route, as the backported patch for EL6 assumes some other things that were backported before it.  The patches from the upstream repository are spread across these commits:
  627a0a4d8c502d51a5b6e6e9828d66ed6c519e45
  39ee8381f2daa1531a5c3fe126b5728a9b3d0d85
  7bd1c02177bfb9fc5ea57556b0ee9444004c373d
  b7248ee6253ba6fd900e3a93016e29184ec1f264
  7d00c3c1bf016dcd8c41d00eeebb065590906d44
  9215413e55f9425149ae954181d657fb81103888
Comment 7 Kai Mosebach 2011-09-08 12:20:18 UTC 
Happens here as well, RHEL 6.1 64bit

openssh-5.3p1-52.el6_1.2.x86_64
pam_krb5-2.3.11-6.el6.x86_64
Comment 10 Cott Lang 2011-11-24 14:11:16 UTC 
Ditto here

openssh-5.3p1-52.el6_1.2.x86_64
pam_krb5-2.3.11-6.el6.x86_64
Comment 11 caguado 2011-11-29 07:25:17 UTC 
On RHEL6/x86_64 with pam_krb5-2.3.11-6.el6.x86_64

The following has been observed:
- If the host has a corresponding /etc/krb5.keytab and user logs in using his TGT then logout is able to find and delete the file /tmp/krb5cc_UID_XXXXXX without further message.
- If user logs following the password challenge (no TGT), upon log out, pam_krb5 is not able to find the ccache file and consequently prints the error "error removing ccache 'FILE:/tmp/krb5cc_UID_YYYYYY'" Note that in this case, ccache file name searched for deletion on logout is different from the one created at login time and then remaining in /tmp.
Comment 12 errata-xmlrpc 2011-12-06 17:36:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1704.html
Note You need to log in before you can comment on or make changes to this bug.