bugzilla-daemon at mindrot.org
2014-Feb-22 17:34 UTC
[Bug 2204] New: gssapi-with-mic and UsePrivilegeSeparation sandbox
https://bugzilla.mindrot.org/show_bug.cgi?id=2204 Bug ID: 2204 Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox Product: Portable OpenSSH Version: 6.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org Reporter: georg at steffers.org Authentication with gssapi-with-mic does not work when using privilegeSeparation sandbox. Howto reproduce: - Use openssh in a kerborized environment. - activate authentication with gssapi - activate UsePrivilegeSeparation sandbox - try to login with a TGT. Result: The sshd simply drops the connection without any information about what happened. Expected result: If possible a succesfull login or if not at least when turning on debugging an information why the login failed. Additional information: When doing an strace with the sshd I can't find even an evidence that the krb5.keytab is tried to beloaded. I guess that sandbox created some kind of chroot which prevents gssapi from reading this file at all. Maybe it is possible to initialize the gssapi before the sandbox is initialized but if that is not possible there should be at least an information what has happened. best regards Georg Hopp -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Feb-23 23:34 UTC
[Bug 2204] gssapi-with-mic and UsePrivilegeSeparation sandbox
https://bugzilla.mindrot.org/show_bug.cgi?id=2204 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |djm at mindrot.org Resolution|--- |DUPLICATE --- Comment #1 from Damien Miller <djm at mindrot.org> --- I'm pretty sure that this is bug #2107 - please try the latest patch there. *** This bug has been marked as a duplicate of bug 2107 *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:02 UTC
[Bug 2204] gssapi-with-mic and UsePrivilegeSeparation sandbox
https://bugzilla.mindrot.org/show_bug.cgi?id=2204 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2107] New: seccomp sandbox breaks GSSAPI
- [Bug 1020] PrintLastLog doesn't work for UsePrivilegeseparation yes
- [Bug 1021] PrintLastLog doesn't work for UsePrivilegeseparation yes
- openssh-3.9p1: no pam_close_session() invocation
- OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security