Red Hat Bugzilla – Bug 733803
pam_krb5 leaks ccache files when loging in through ssh
Last modified: 2016-08-23 12:05:07 EDT
+++ This bug was initially created as a clone of Bug #725797 +++
Description of problem:
Each time a user logs in and out again, one ccache file is left in /tmp.
Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Log in via SSH
one ccache file left in /tmp
no ccache file left in /tmp
FWIW, setting multiple_ccaches did not seem to have any effect.
The file left around was /tmp/krb5cc_10011_n0pEkv.
It seems like this file is created just before the session starts:
Jul 26 16:40:40 fedora3-f13 sshd: pam_krb5: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd: pam_krb5: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd: Received disconnect from 10.46.208.226: 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd: pam_unix(sshd:session): session closed for user test05
However after the session ends, a different file is tried for deletion:
Jul 26 16:40:42 fedora3-f13 sshd: pam_krb5: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd: pam_krb5: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Which has been created just before /tmp/krb5cc_10011_n0pEkv.
Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:
17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)
--- Additional comment from email@example.com on 2011-07-26 11:25:44 EDT ---
Created attachment 515305 [details]
--- Additional comment from firstname.lastname@example.org on 2011-07-26 11:26:36 EDT ---
Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD
--- Additional comment from email@example.com on 2011-07-27 04:22:06 EDT ---
FWIW, it seems that the file kept after logout is the one from KRB5CCNAME
--- Additional comment from firstname.lastname@example.org on 2011-08-26 18:19:48 EDT ---
Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
This'll probably turn out to be a duplicate of bug #720609. It should already be fixed in Raw Hide.
I can not access #720609:
You are not authorized to access bug #720609.
I need to fix this on Fedora 13. Is there a patch available? Or an updated package?
Or can you provide the details so that I can fix it myself?
Keep in that Fedora 13 has passed its end-of-life date, so there won't be an update there. I just noticed that Raw Hide doesn't have 2.3.13 yet, so I'll be building it there soon. As for Fedora 13, using 'rpmbuild -tb' to build the tarball from https://fedorahosted.org/releases/p/a/pam_krb5/ is probably the most expedient route, as the backported patch for EL6 assumes some other things that were backported before it. The patches from the upstream repository are spread across these commits:
Happens here as well, RHEL 6.1 64bit
On RHEL6/x86_64 with pam_krb5-2.3.11-6.el6.x86_64
The following has been observed:
- If the host has a corresponding /etc/krb5.keytab and user logs in using his TGT then logout is able to find and delete the file /tmp/krb5cc_UID_XXXXXX without further message.
- If user logs following the password challenge (no TGT), upon log out, pam_krb5 is not able to find the ccache file and consequently prints the error "error removing ccache 'FILE:/tmp/krb5cc_UID_YYYYYY'" Note that in this case, ccache file name searched for deletion on logout is different from the one created at login time and then remaining in /tmp.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.