[Pkg-shadow-devel] Bug#412061: login: su ends PAM sesstion in
subshell
Russ Allbery
rra at debian.org
Fri Feb 23 18:05:57 CET 2007
bts subscribe 412061 rra at debian.org
thanks
Philipp Matthias Hahn <pmhahn at debian.org> writes:
> # This is the user's ticket
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4
> unlink("/tmp/krb5cc_1000_q9oTxG") = 0
> open("/tmp/krb5cc_1000_q9oTxG", O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0600) = 4
> # no idea why it is done a second time
> open("/tmp/krb5cc_1000_q9oTxG", O_RDWR) = 4
> chown32("/tmp/krb5cc_1000_q9oTxG", 1000, 1000) = 0
> open("/tmp/krb5cc_pam_N2kh8U", O_RDWR) = 4
> unlink("/tmp/krb5cc_pam_N2kh8U") = 0
> # the TGT is no longer needed
It's done a second time because the user's final ticket cache should only
be created on pam_setcred or pam_open_session, but pam_authenticate has to
put the ticket cache somewhere in the meantime. We used to use a memory
cache for this, but OpenSSH calls pam_authenticate and pam_setcred in
completely different processes so we use a temporary disk cache to pass
the cache around instead.
pam-krb5 has always destroyed the ticket cache on pam_end. It stores a
pointer to the ticket cache in a PAM data variable, and then when PAM data
is cleaned up, the destructor for its private data destroys the ticket
cache unless pam_setcred was called with PAM_REFRESH or some equivalent.
I'm not sure if this is the correct behavior or not. I inherited it, and
I don't know if there's any documentation about what one is *supposed* to
to. It causes strange problems on Solaris 8 and 9 as well (I haven't been
able to test Solaris 10).
I could change pam-krb5 to only destroy the ticket cache on
pam_close_session and to leave it alone with pam_end, but I have a feeling
that some applications that call pam_setcred (but not pam_open_session)
won't call pam_close_session, resulting in ticket caches left behind in
/tmp after the user logs out (which is a mild security worry).
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shadow-devel
mailing list