openssh bugs - Feb 2014 - [Bug 2204] New: gssapi-with-mic and UsePrivilegeSeparation sandbox

https://bugzilla.mindrot.org/show_bug.cgi?id=2204

            Bug ID: 2204
           Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: georg at steffers.org

Authentication with gssapi-with-mic does not work when
using privilegeSeparation sandbox.

Howto reproduce:

- Use openssh in a kerborized environment.
- activate authentication with gssapi
- activate UsePrivilegeSeparation sandbox
- try to login with a TGT.

Result:

The sshd simply drops the connection without any information
about what happened.

Expected result:

If possible a succesfull login or if not at least when turning
on debugging an information why the login failed.

Additional information:

When doing an strace with the sshd I can't find even an evidence
that the krb5.keytab is tried to beloaded. I guess that sandbox
created some kind of chroot which prevents gssapi from reading
this file at all. Maybe it is possible to initialize the gssapi
before the sandbox is initialized but if that is not possible there
should be at least an information what has happened.

best regards
   Georg Hopp

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2204

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |DUPLICATE

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I'm pretty sure that this is bug #2107 - please try the latest patch
there.

*** This bug has been marked as a duplicate of bug 2107 ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2204

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.