Re: sshd, Tiger and KRB5CCNAME - Kerberos

This is a discussion on Re: sshd, Tiger and KRB5CCNAME - Kerberos ; I think that this behaviour appeared with the last Tiger update. Someone here spotted it today - it seems to be a bug in Apple's OpenSSH package (I haven't yet checked if the bug is also in the CCAPI portion ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: sshd, Tiger and KRB5CCNAME

  1. Re: sshd, Tiger and KRB5CCNAME


    I think that this behaviour appeared with the last Tiger update. Someone here spotted it today - it seems to be a bug in Apple's OpenSSH package (I haven't yet checked if the bug is also in the CCAPI portion of my patch)

    Simon.
    -----Original Message-----

    From: "Booker C. Bense"
    Subj: sshd, Tiger and KRB5CCNAME
    Date: Fri 25 Aug 2006 18:23
    Size: 1K
    To: kerberos@mit.edu


    I'm running into a very odd bug with the default sshd on Tiger and
    using gssapi w/ credential forwarding. Basically, the credentials
    forward just fine but at some point the session gets

    KRB5CCNAME=FILE:krb5cc_[uid]

    rather than the proper

    KRB5CCNAME=API:krb5cc_[uid]

    As far as I can tell there is nothing in the configuration
    that is setting this variable, and if you reset it in the ssh
    session to it's proper value everything works. On what "should"
    be identically configured machines, or I can't find any difference
    between them, the less used machine will do the correct thing,
    but the one that's had more logins does the wrong thing. Or at
    least that's the only difference I can find between machines that
    have the problem and ones that don't.

    Is anyone aware of any condition in the OS X kerberos code where it
    will somehow set KRB5CCNAME to the FILE value? I realize I'm grasping
    at straws here, but I'm really puzzled by this.

    _ Booker C. Bense
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: sshd, Tiger and KRB5CCNAME



    Is the CCAPI patch even in what went out in the Tiger security
    update? AFAICT, it's not, so perhaps the machines where it isn't
    working have taken the update and the others have not.


    On Aug 25, 2006, at 2:00 PM, wrote:

    >
    > I think that this behaviour appeared with the last Tiger update.
    > Someone here spotted it today - it seems to be a bug in Apple's
    > OpenSSH package (I haven't yet checked if the bug is also in the
    > CCAPI portion of my patch)
    >
    > Simon.
    > -----Original Message-----
    >
    > From: "Booker C. Bense"
    > Subj: sshd, Tiger and KRB5CCNAME
    > Date: Fri 25 Aug 2006 18:23
    > Size: 1K
    > To: kerberos@mit.edu
    >
    >
    > I'm running into a very odd bug with the default sshd on Tiger and
    > using gssapi w/ credential forwarding. Basically, the credentials
    > forward just fine but at some point the session gets
    >
    > KRB5CCNAME=FILE:krb5cc_[uid]
    >
    > rather than the proper
    >
    > KRB5CCNAME=API:krb5cc_[uid]
    >
    > As far as I can tell there is nothing in the configuration
    > that is setting this variable, and if you reset it in the ssh
    > session to it's proper value everything works. On what "should"
    > be identically configured machines, or I can't find any difference
    > between them, the less used machine will do the correct thing,
    > but the one that's had more logins does the wrong thing. Or at
    > least that's the only difference I can find between machines that
    > have the problem and ones that don't.
    >
    > Is anyone aware of any condition in the OS X kerberos code where it
    > will somehow set KRB5CCNAME to the FILE value? I realize I'm grasping
    > at straws here, but I'm really puzzled by this.
    >
    > _ Booker C. Bense
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    --lxs

    Alexandra Ellwood
    MIT Kerberos Development Team



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: sshd, Tiger and KRB5CCNAME


    On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote:

    >
    > Is the CCAPI patch even in what went out in the Tiger security
    > update? AFAICT, it's not, so perhaps the machines where it isn't
    > working have taken the update and the others have not.


    No, it is. It looks like the Tiger security update combines the 4.2p1
    OpenSSH release, with the latest version of my GSSAPI patches. These
    patches included CCAPI support, but had a mistake where 'FILE:' was
    appended to the ccname when creating the environment variable for the
    ccache, rather than using 'API:'. You can get access to the delegated
    cache by either changing, or unsetting, your KRB5CCNAME shell variable

    GssapiKeyExchange is also present, but is now hidden behind an option
    defaulting to off.

    Simon.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: sshd, Tiger and KRB5CCNAME



    On Aug 29, 2006, at 10:13 AM, Simon Wilkinson wrote:

    >
    > On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote:
    >
    >>
    >> Is the CCAPI patch even in what went out in the Tiger security
    >> update? AFAICT, it's not, so perhaps the machines where it isn't
    >> working have taken the update and the others have not.

    >
    > No, it is. It looks like the Tiger security update combines the 4.2p1
    > OpenSSH release, with the latest version of my GSSAPI patches. These
    > patches included CCAPI support, but had a mistake where 'FILE:' was
    > appended to the ccname when creating the environment variable for the
    > ccache, rather than using 'API:'. You can get access to the delegated
    > cache by either changing, or unsetting, your KRB5CCNAME shell variable
    >
    > GssapiKeyExchange is also present, but is now hidden behind an option
    > defaulting to off.
    >



    Just a quick reminder to everyone being impacted by this issue:

    If you would like to see this fixed, please take a moment to file a
    bug report at . If you don't file a
    bug, Apple won't know this is a serious problem and is unlikely to
    fix it promptly. Even if your bug gets filed as a duplicate, you'll
    be added to the list of impacted people and thus increase the bug's
    priority. If you're a large site, telling your Apple sales
    representatives that your bug report is a serious issue for your site
    can also help.

    Discussing it on this list may cause patches to get generated, but it
    doesn't actually get those patches into a software update. :-)



    --lxs

    Alexandra Ellwood
    MIT Kerberos Development Team



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread