Bug#492039: libpam-krb5: ssh logins overwrite /tmp/krb5cc_0 (ccache documentation is wrong)

Package: libpam-krb5
Version: 2.6-1
Severity: normal


By default, for ssh logins that are authenticated by prompting
for a kerberos password, pam_krb5.so will put user credentials
in /tmp/krb5cc_0, overwriting any existing file by that name,
no matter which user owns the file.

The ccache option is supposed to allow customizing the name of
the credentials file.  Regarding that option, the man page
says:

    This option can be set in krb5.conf and is only
    applicable to the auth and session groups.

This is incorrect -- ccache cannot be set in krb5.conf

Instead, the ccache option must be specified on the pam_krb5.so
command line in /etc/pam.d/common-session as stated in
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341926
Presumably the ccache_dir option has the same problem, but I
did not investigate this.

An email associated with bug 341926 mentions updating the NEWS
file to make people aware of this, but I saw no such entry in
the NEWS file or any mention of it in the README files.

Unless the code is modified to match the man page description,
the behavior of the ccache option should be more clearly
documented.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-krb5 depends on:
ii  krb 1.16                                 Configuration files for Kerberos V
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 0.79-5                               Pluggable Authentication Modules l

libpam-krb5 recommends no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

John Houck <houck@...> writes:

> By default, for ssh logins that are authenticated by prompting
> for a kerberos password, pam_krb5.so will put user credentials
> in /tmp/krb5cc_0, overwriting any existing file by that name,
> no matter which user owns the file.

What version of OpenSSH are you using?  Given that symptom, you almost
certainly have a broken version.

There is a serious bug in older versions of OpenSSH's PAM support that
tell the PAM module to refresh credentials rather than initialize them,
which is consistent with this particular bug report.  This isn't something
that the PAM module can fix; it's a bug in OpenSSH that has to be fixed
there (and is documented as such in the pam-krb5 documentation as of
version 3.0, which is unfortunately one release after what's currently in
Debian stable).

  Old versions of OpenSSH are known to call pam_authenticate followed by
  pam_setcred(PAM_REINITIALIZE_CRED) without first calling
  pam_open_session, thereby requesting that an existing ticket cache be
  renewed (similar to what a screensaver would want) rather than
  requesting a new ticket cache be created.  Since this behavior is
  indistinguishable at the PAM level from a screensaver, pam-krb5 when
  used with these old versions of OpenSSH will refresh the ticket cache of
  the OpenSSH daemon rather than setting up a new ticket cache for the
  user.  The resulting ticket cache will have the correct permissions
  (this is not a security concern), but will not be named correctly or
  referenced in the user's environment and will be overwritten by the next
  user login.  The best solution to this problem is to upgrade OpenSSH.
  I'm not sure exactly when this problem was fixed, but at the very least
  OpenSSH 4.3 and later do not exhibit it.

The version of OpenSSH that shipped with Debian stable works properly, but
if you have a mixed oldstable system, you may see this problem.

> The ccache option is supposed to allow customizing the name of the
> credentials file.  Regarding that option, the man page says:
>
>     This option can be set in krb5.conf and is only
>     applicable to the auth and session groups.
>
> This is incorrect -- ccache cannot be set in krb5.conf

I'm not sure what to say other than "yes, it can."  Support is there in
the code and I just tested it and it worked fine.  That code hasn't
changed since 2.3.

Of course, if you have the above problem, you won't see the benefits of
setting it when logging in via ssh; you'd need to use a non-broken
program such as login.

> An email associated with bug 341926 mentions updating the NEWS
> file to make people aware of this, but I saw no such entry in
> the NEWS file or any mention of it in the README files.

Yeah, the NEWS.Debian file isn't being installed; it looks like that was
broken at some point in a refactoring of the package.  At this point,
though, that change is so far in the past (2005) that I don't believe it
should be.  I'll delete it entirely in the next release; it would only be
shown to people upgrading from versions before 1.2.0-2 anyway.

--
Russ Allbery (rra@...)               <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, Jul 23, 2008 at 12:23 -0700, Russ Allbery wrote:
> John Houck <houck@...> writes:
>
> > By default, for ssh logins that are authenticated by prompting
> > for a kerberos password, pam_krb5.so will put user credentials
> > in /tmp/krb5cc_0, overwriting any existing file by that name,
> > no matter which user owns the file.
>
> What version of OpenSSH are you using?  Given that symptom, you almost
> certainly have a broken version.

I believe it's the current Debian/stable version, 1:4.3p2-9etch2

  > ssh -V
  OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8c 05 Sep 2006

[...]
> The version of OpenSSH that shipped with Debian stable works properly, but
> if you have a mixed oldstable system, you may see this problem.

It's not a mixed system.  I formatted the disks and installed
etch myself just a few months ago (it's a new system).

I don't know what to say either.  I read and re-read all the
docs I could find and tried numerous variations on the
documented syntax for setting the ccache option in krb5.conf.
None of that had any effect.

Setting ccache on the pam_krb5.so command line in
/etc/pam.d/common-session solved the problem immediately.

If it will help, I'm happy to repeat the exercise with krb5.conf
and send you any output or config files you'd like to see.

> Support is there in the code and I just tested it and it worked
> fine.  That code hasn't changed since 2.3.
>
> Of course, if you have the above problem, you won't see the benefits of
> setting it when logging in via ssh; you'd need to use a non-broken
> program such as login.

For what it's worth, console logins have worked fine all along,
putting credentials in /tmp/krb5cc_UID_XXXXXX.

Thanks,
-John



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, Jul 23, 2008 at 15:58 -0400, houck wrote:
I can reproduce the problem by removing the pam_krb5.so entry
from /etc/pam.d/common-session (so I guess the real bug was
the fact that my earlier pam configuration omitted this line).

With that (broken) pam configuration, I use an /etc/krb5.conf
file that contains:

[appdefaults]
        ccache=FILE:/tmp/krb5cc_%u_XXXXXX
        pam =
        {
          debug = true
          ticket_lifetime = 43200
          renew_lifetime = 43200
          forwardable = true
          krb4_convert = false
        }

Logging in with ssh then creates this credentials file:

> ls -l /tmp/krb5cc*
-rw------- 1 houck houck 479 2008-07-23 19:05 /tmp/krb5cc_0

Here's the debug output from /var/log/auth.log:

  Accepted keyboard-interactive/pam for houck from xxx.xxx.xxx.xxx port 35914 ssh2
  (pam_unix) session opened for user houck by (uid=0)
  (pam_krb5): none: pam_sm_setcred: entry (0x8)
  (pam_krb5): none: no context found, creating one
  (pam_krb5): houck: found initial ticket cache at /tmp/krb5cc_pam_J15925
  (pam_krb5): houck: refreshing ticket cache /tmp/krb5cc_0
  (pam_krb5): houck: initializing ticket cache /tmp/krb5cc_0
  (pam_krb5): houck: pam_sm_setcred: exit (success)

Since the ticket cache file name doesn't match the pattern specified
in krb5.conf, I concluded that the docs were wrong.

But if I now add the pam_krb5.so entry to /etc/pam.d/common-session
then the krb5.conf ccache specification is obeyed.

Perhaps I understand now, more or less.

Thanks,
-John




--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

John Houck <houck@...> writes:

> I can reproduce the problem by removing the pam_krb5.so entry
> from /etc/pam.d/common-session (so I guess the real bug was
> the fact that my earlier pam configuration omitted this line).

Oh!  That's interesting.  Nice catch -- that's exactly the problem.  ssh
is still doing that reinitialize call but fixed the order, but if you
don't have a session module for pam-krb5, you get the same as the old
broken behavior when the reinitialize call was done first.

Thank you for this -- I will definitely add this to the documentation.

That explains why ccache wasn't working in krb5.conf; the auth setcred
module never looks at it if it's only called wth the reinitialize option,
since that's supposed to respect the existing ticket cache (it's intended
for use by screen savers).

--
Russ Allbery (rra@...)               <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...