I believe there is a bug in how AIX handles the KRB5CCNAME environment variable. The symptom occurs when a root user restarts sshd while they have KRB5CCNAME set; all of the resulting client connections will inherit the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or some other kerberized method of obtaining root privileges. Investigating this problem, I stumbled across some code in session.c that confused me a bit. This code exists in the OpenSSH source from at least as far back as 3.1 to the current source tree. On about line 1087 of session.c we see this: #ifdef _AIX { char *cp; if ((cp = getenv("AUTHSTATE")) != NULL) child_set_env(&env, &envsize, "AUTHSTATE", cp); if ((cp = getenv("KRB5CCNAME")) != NULL) child_set_env(&env, &envsize, "KRB5CCNAME", cp); read_environment_file(&env, &envsize, "/etc/environment"); } #endif It seems to me that this section of code takes the KRB5CCNAME from sshd (if it exists) and hands it off to the child. My question is, why would you ever want to do this? The next section of code is what confused me: #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file); #endif This would appear to overwrite KRB5CCNAME with (I'm assuming) the correct value. For some reason it doesn't. Any thoughts on what I'm missing? -Mike
Mike Dopheide wrote:> > I believe there is a bug in how AIX handles the KRB5CCNAME environment > variable. The symptom occurs when a root user restarts sshd while they > have KRB5CCNAME set; all of the resulting client connections will inherit > the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or > some other kerberized method of obtaining root privileges.[snip]> On about line 1087 of session.c we see this:[snip code]> It seems to me that this section of code takes the KRB5CCNAME from sshd > (if it exists) and hands it off to the child. My question is, why would > you ever want to do this?I've never used Kerberos on AIX but I would guess that this is to handle the case where KRB5CCNAME is set by one of the modules called by the AIX's authenticate() function. It would seem that KRB5CCNAME should be cleared from the sshd's environment when it starts up to prevent the situation you're describing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Apparently Analagous Threads
- Patches for compatibility with Heimdal's libsia_krb5 SIA module
- [Bug 372] New: [authkrb5] : KRB5CCNAME set to pointer
- BSD Auth: set child environment variables requested by login script [PATCH]
- AIX openssh patches
- [Bug 445] User DCE Credentials do not get forwarded to child session