search for: ssh_gssapi_krb5_storecreds

...penSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI credentials resulting in a growing process segment for each connection that uses GSSAPI credentials forwarding. What happens is the following: In the privileged parent, we are calling ssh_gssapi_storecreds() which itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds() makes some memory allocations in order to save the credentials store for the gssapi client. +167 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); +168 client->store.envvar = "KRB5CCNAME"; +169...

...OpenSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI credentials resulting in a growing process segment for each connection that uses GSSAPI credentials forwarding. What happens is the following: In the privileged parent, we are calling ssh_gssapi_storecreds() which itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds() makes some memory allocations in order to save the credentials store for the gssapi client. +167 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); +168 client->store.envvar = "KRB5CCNAME"; +169...

...Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org ReportedBy: gentoo.riverrat at gmail.com While attempting to correct some compile warnings I noticed this: gss-serv-krb5.c: In function `ssh_gssapi_krb5_storecreds': gss-serv-krb5.c:156: warning: implicit declaration of function `gss_krb5_copy_ccache' This is actually a simple typo that was a bear to track down but should get corrected immediately as it is potentially problematic on amd64. I originally reported this to Gentoo and submitted a patch:...

Hi, I'm trying to use the GSSAPIDelegateCredentials function to forward my kerberos 5 tickets. Authentication with GSSAPI/Kerberos 5 works fine, I can log in to the server when I have valid tickets on my client. But when I turn on GSSAPIDelegateCredentials I get "Connection reset by peer" at the client side. At the server side, I have been able to see that the user process gets a

...rsion: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: openssh-bugs at mindrot.org ReportedBy: smichaud at pobox.com This is something we missed when going over the GSSAPI code this August. The code in ssh_gssapi_krb5_storecreds() in gss-serv-krb5.c doesn't set the KRB5CCNAME environment variable correctly. At present it includes only the cache's "name". But it should actually include both it's "type" and it's "name", separated by a colon ':' -- e.g. "FILE:/tmp/k...

Hi All. Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh. There are patches. The first [1] is a straightforward port of the OpenBSD code to Portable. The second [2] contains the parts I've stolen from Simon Wilkinson's portable GSSAPI patch in an attempt to make it build. It is incomplete and doesn't currently work. The PAM support is not there and

I?ve stumbled across a rather obscure problem with ssh. My machine is setup to use Kerberos authentication, i.e., I use the pam_krb5 module in the ssh auth section of the PAM configuration file and I have sshd compiled to accept valid Kerberos 5 tickets as well. I also use OpenAFS, so I?ve got the pam_openafs_session module in the ssh session section of the PAM configuration file. Everything

...auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o -L. -Lopenbsd-compat/ -L/usr/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt -lgssapi -lkrb5 -lk5crypto -lcom_err gss-serv-krb5.o: In function `ssh_gssapi_krb5_storecreds': /usr/src/packages/BUILD/openssh-4.5p1/gss-serv-krb5.c:164: undefined reference to `gss_krb5_copy_ccache' collect2: ld returned 1 exit status make: *** [sshd] Error 1 This missing function is defined in libgssapi_krb5. I think the problem behind this is that gss_init_sec_context, which...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

...+ name, (char *)client->displayname.value); + } else + retval = 0; + + krb5_free_principal(krb_context, princ); + return retval; +} + + +/* This writes out any forwarded credentials from the structure populated + * during userauth. Called after we have setuid to the user */ + +static void +ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +{ + krb5_ccache ccache; + krb5_error_code problem; + krb5_principal princ; + OM_uint32 maj_status, min_status; + + if (client->creds == NULL) { + debug("No credentials stored"); + return; + } + + if (ssh_gssapi_krb5_init() == 0) + return; + + if ((problem...

Hi, OpenSSH 6.5 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is