Bug 733803 - pam_krb5 leaks ccache files when loging in through ssh
Summary: pam_krb5 leaks ccache files when loging in through ssh
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_krb5
Version: 6.1
Hardware: i686
OS: Linux
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
Depends On: 720609 725797
TreeView+ depends on / blocked
Reported: 2011-08-26 22:46 UTC by Dmitri Pal
Modified: 2016-08-23 16:05 UTC (History)
9 users (show)

Fixed In Version: pam_krb5-2.3.11-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 725797
Last Closed: 2011-12-06 17:36:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1704 0 normal SHIPPED_LIVE pam_krb5 bug fix update 2011-12-06 01:02:31 UTC

Description Dmitri Pal 2011-08-26 22:46:55 UTC
+++ This bug was initially created as a clone of Bug #725797 +++

Description of problem:

Each time a user logs in and out again, one ccache file is left in /tmp.

Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5.

Version-Release number of selected component (if applicable):


How reproducible:

Every time.

Steps to Reproduce:
1.Log in via SSH
2.Log out

Actual results:

one ccache file left in /tmp

Expected results:

no ccache file left in /tmp

Additional info:

FWIW, setting multiple_ccaches did not seem to have any effect.

The file left around was /tmp/krb5cc_10011_n0pEkv.

It seems like this file is created just before the session starts:

Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05'
Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success)
Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 11: disconnected by user
Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05

However after the session ends, a different file is tried for deletion:

Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'
Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe'

Which has been created just before /tmp/krb5cc_10011_n0pEkv.

Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created:

17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0
17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0
17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0
17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory)

--- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-26 11:25:44 EDT ---

Created attachment 515305 [details]

--- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-26 11:26:36 EDT ---

Created attachment 515306 [details]
strace -f -p $PID_OF_SSHD

--- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-27 04:22:06 EDT ---

FWIW, it seems that the file kept after logout is the one from KRB5CCNAME

--- Additional comment from ktdreyer@ktdreyer.com on 2011-08-26 18:19:48 EDT ---

Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64

Comment 2 Nalin Dahyabhai 2011-08-30 18:30:37 UTC
This'll probably turn out to be a duplicate of bug #720609.  It should already be fixed in Raw Hide.

Comment 3 stefan.volkel.ext 2011-09-05 07:56:26 UTC
I can not access #720609:

You are not authorized to access bug #720609. 

I need to fix this on Fedora 13. Is there a patch available? Or an updated package? 

Or can you provide the details so that I can fix it myself?

Comment 4 Nalin Dahyabhai 2011-09-06 15:52:09 UTC
Keep in that Fedora 13 has passed its end-of-life date, so there won't be an update there.  I just noticed that Raw Hide doesn't have 2.3.13 yet, so I'll be building it there soon.  As for Fedora 13, using 'rpmbuild -tb' to build the tarball from https://fedorahosted.org/releases/p/a/pam_krb5/ is probably the most expedient route, as the backported patch for EL6 assumes some other things that were backported before it.  The patches from the upstream repository are spread across these commits:

Comment 7 Kai Mosebach 2011-09-08 12:20:18 UTC
Happens here as well, RHEL 6.1 64bit


Comment 10 Cott Lang 2011-11-24 14:11:16 UTC
Ditto here


Comment 11 caguado 2011-11-29 07:25:17 UTC
On RHEL6/x86_64 with pam_krb5-2.3.11-6.el6.x86_64

The following has been observed:
- If the host has a corresponding /etc/krb5.keytab and user logs in using his TGT then logout is able to find and delete the file /tmp/krb5cc_UID_XXXXXX without further message.
- If user logs following the password challenge (no TGT), upon log out, pam_krb5 is not able to find the ccache file and consequently prints the error "error removing ccache 'FILE:/tmp/krb5cc_UID_YYYYYY'" Note that in this case, ccache file name searched for deletion on logout is different from the one created at login time and then remaining in /tmp.

Comment 12 errata-xmlrpc 2011-12-06 17:36:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.