openssh bugs - Oct 2011 - [Bug 1945] New: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes

https://bugzilla.mindrot.org/show_bug.cgi?id=1945

             Bug #: 1945
           Summary: Only 1 of the 2 krb cache files is removed on closing
                    the ssh connection with UsePrivilegeSeparation=yes
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: HP-UX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: balu9463 at gmail.com


This is my first bug report, request you to correct me if necessary.

For a non root user, When ChallengeResponse is used with PAM_Kerberos
and UsePrivilegeSeparation=yes, sshd creates two
credential files in /tmp, and at the end of the session only one
is removed


$ssh system1
.
.
$ ps -ef | grep ssh
    root   170     1  0 14:01:58 ?         0:00 /opt/ssh/sbin/sshd
    test   245   243  0 14:03:41 ?         0:00 sshd: test at pts/0
    test   242   225  0 14:03:39 pts/tb    0:00 ssh system1
    root   243   170  0 14:03:39 ?         0:02 sshd: test [priv]

$ ll /tmp/krb5cc*
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_170_243
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_243_245


Env KRB5CCNAME is set to
KRB5CCNAME=FILE:/tmp/krb5cc_243_245


On closing the session,the cache file corresponding to the nonpriv
process is not removed.
$  ll /tmp/krb5cc*
-rw-------   1 test       users          416 Oct 20 14:03
/tmp/krb5cc_243_245

I have tested this on hpux but believe the same behaviour on other OS
as well.

Probable fix is to change the condition in 
sshpam_cleanup(void)/auth-pam.c

<       if (sshpam_handle == NULL || (use_privsep &&
!mm_is_monitor()))
---
>       if (sshpam_handle == NULL && (use_privsep &&
!mm_is_monitor()))
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1945

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-12-02 11:11:34
EST ---
I don't think the proposed fix is correct - it would allow
sshpam_cleanup() to run with a NULL pam handle and probably SEGV when
it makes its first PAM call.

Perhaps we should relax the !mm_is_monitor() check somehow though.
Maybe we could add a new monitor call to run the PAM cleanup as root?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1945

balu9463 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |balu9463 at gmail.com

--- Comment #2 from balu9463 at gmail.com 2011-12-13 17:10:37 EST ---
Right, I overlooked the Null Pam handle.

Wouldn't relaxing the mm_is_monitor and only checking for privsep work 
        if (sshpam_handle == NULL && use_privsep)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.