[Pkg-shadow-devel] Bug#412061: login: su ends PAM sesstion in subshell

Russ Allbery rra at debian.org
Fri Feb 23 18:05:57 CET 2007 

bts subscribe 412061 rra at debian.org
thanks

Philipp Matthias Hahn <pmhahn at debian.org> writes:

> # This is the user's ticket
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> unlink("/tmp/krb5cc_1000_q9oTxG")       = 0
> open("/tmp/krb5cc_1000_q9oTxG", O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0600) = 4
> # no idea why it is done a second time
> open("/tmp/krb5cc_1000_q9oTxG", O_RDWR) = 4
> chown32("/tmp/krb5cc_1000_q9oTxG", 1000, 1000) = 0
> open("/tmp/krb5cc_pam_N2kh8U", O_RDWR)  = 4
> unlink("/tmp/krb5cc_pam_N2kh8U")        = 0
> # the TGT is no longer needed

It's done a second time because the user's final ticket cache should only
be created on pam_setcred or pam_open_session, but pam_authenticate has to
put the ticket cache somewhere in the meantime.  We used to use a memory
cache for this, but OpenSSH calls pam_authenticate and pam_setcred in
completely different processes so we use a temporary disk cache to pass
the cache around instead.

pam-krb5 has always destroyed the ticket cache on pam_end.  It stores a
pointer to the ticket cache in a PAM data variable, and then when PAM data
is cleaned up, the destructor for its private data destroys the ticket
cache unless pam_setcred was called with PAM_REFRESH or some equivalent.

I'm not sure if this is the correct behavior or not.  I inherited it, and
I don't know if there's any documentation about what one is *supposed* to
to.  It causes strange problems on Solaris 8 and 9 as well (I haven't been
able to test Solaris 10).

I could change pam-krb5 to only destroy the ticket cache on
pam_close_session and to leave it alone with pam_end, but I have a feeling
that some applications that call pam_setcred (but not pam_open_session)
won't call pam_close_session, resulting in ticket caches left behind in
/tmp after the user logs out (which is a mild security worry).

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shadow-devel mailing list