openssh unix dev - Apr 2007 - GSSAPIDelegateCredentials fails with a segfault

Hi,

I'm trying to use the GSSAPIDelegateCredentials function to forward my 
kerberos 5 tickets.
Authentication with GSSAPI/Kerberos 5 works fine, I can log in to the 
server when I have valid tickets on my client.
But when I turn on GSSAPIDelegateCredentials I get "Connection reset by 
peer" at the client side.
At the server side, I have been able to see that the user process gets a 
segfault just after writing to the tickets cache.

I'm using:
openssh-4.5p1 (tested with 4.6p1 also)
heimdal-0.7.2
on a Gentoo 2006.1 i686 system.

First off: Have anyone seen this before?

Second: Even though I have set the core limit to 100M in limits.conf and 
verified that it gets set using strace -f /usr/sbin/sshd, I don't get 
any coredump. Is there any good way of debugging these kind of problems?

/Johan Andersson

On 30 Apr 2007, at 17:23, Johan Andersson wrote:

>
> First off: Have anyone seen this before?
No, this is the first report I've seen of this problem. Have you made  
sure that all of your library dependencies are correct? That is, that  
you're building, and running, against the same version of libgssapi.  
Unfortunately, some vendors have taken to shipping a libgssapi which  
doesn't conform to the GSSAPI API - this often causes segfaults at  
unexpected moments.
> Second: Even though I have set the core limit to 100M in  
> limits.conf and
> verified that it gets set using strace -f /usr/sbin/sshd, I don't get
> any coredump. Is there any good way of debugging these kind of  
> problems?
Privsep makes it pretty tricky to follow through all of the processes  
with a debugger. Often the easiest thing to do is to instrument the  
code. If it is dying where you think it is, then adding additional  
debug statements to ssh_gssapi_krb5_storecreds is the best place to  
start. In particular, it's worth seeing if the call to  
gss_krb5_copy_ccache is succeeding.

Simon.