search for: ssh_gssapi_cleanup_creds

...tedname))) { + return (ctx->major); + } + + /* We can't copy this structure, so we just move the pointer to it */ + client->creds = ctx->client_creds; + ctx->client_creds = GSS_C_NO_CREDENTIAL; + return (ctx->major); +} + +/* As user - called through fatal cleanup hook */ +void +ssh_gssapi_cleanup_creds(void *ignored) +{ + if (gssapi_client.store.filename != NULL) { + /* Unlink probably isn't sufficient */ + debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); + unlink(gssapi_client.store.filename); + } +} + +/* As user */ +void +ssh_gssapi_storecreds(...

...hd.c) in privsep_postauth function, that if root logins then use_privsep is set to 0 and call of function do_setusercontext is skipped. But the function do_setusercontext calls ssh_gssapi_storecreds where structure client->store.filename is filled with the filename of kerberos ticket. So then if ssh_gssapi_cleanup_creds is called it does nothing because gssapi_client.store.filename is empty. We are using also pam_krb5, but with option minimal_uid=200, so the root login is not affected. My sshd_config: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation ye...

...connection that uses GSSAPI credential forwarding. A solution would be the following: 1) Migrate the ssh_gssapi_storecreds() call to the unprivileged child 2) Create a ssh_gssapi_free_store() call in gss-serv.c which frees the memory allocations. At first I was thinking of integrating this in the ssh_gssapi_cleanup_creds() call but freeing the memory is mandatory while the cleanup of credentials is the user's choice. 3) Integrate ssh_gssapi_free_store() call in the do_cleanup() call, which is located in session.c. Bugzilla item #1601 was created to address this issue. I also added a patch which solves this is...

...connection that uses GSSAPI credential forwarding. A solution would be the following: 1) Migrate the ssh_gssapi_storecreds() call to the unprivileged child 2) Create a ssh_gssapi_free_store() call in gss-serv.c which frees the memory allocations. At first I was thinking of integrating this in the ssh_gssapi_cleanup_creds() call but freeing the memory is mandatory while the cleanup of credentials is the user's choice. 3) Integrate ssh_gssapi_free_store() call in the do_cleanup() call, which is located in session.c. I added a patch which solved this issue. -- Configure bugmail: https://bugzilla.mindrot.org/use...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |