Skip Menu |
 

From: Toby Blake <toby@inf.ed.ac.uk>
Subject: ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache
Date: Tue, 18 Dec 2018 16:18:27 +0000
To: <krb5-bugs@mit.edu>
Download (untitled) / with headers
text/plain 1.1KiB
Hi,

When the default cache is a switchable one, e.g. KEYRING, as set by...

[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}

... using ksu will result in KRB5CCNAME being set to MEMORY:_ksu and
having no credentials:

[bolt]toby: ksu . -n toby/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for toby/root@INF.ED.AC.UK: :
Leaving uid as toby (xxxxx)
[bolt]toby: klist
klist: No credentials cache found
[bolt]toby: echo $KRB5CCNAME
MEMORY:_ksu
[bolt]toby:

This seems to happen in src/clients/ksu/main.c:resolve_target_cache...

The check to determine if the cache type is switchable resolves to true
and the subsequent call to krb5_cc_resolve_cache_match seems to match
on the 'MEMORY:_ksu' cache as used internally by ksu, hence this cache is
returned.

Note this is running the os-shipped 1.15.1 on Scientific Linux 7.5. It
doesn't appear that the relevant code has subsequently changed (in 1.16.2)
but I can't easily test the behaviour.

Cheers
Toby


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
This is probably fixed by commit
49bb627fed70c5258c151c5135ac3d95ed1ee55d ("Don't include all MEMORY
ccaches in collection"), which first appears in the forthcoming release
1.17.
From: Toby Blake <toby@inf.ed.ac.uk>
Subject: Re: [krbdev.mit.edu #8766] ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache
Date: Fri, 21 Dec 2018 12:55:59 +0000
To: rt-comment@krbdev-prod-app-1.mit.edu
RT-Send-Cc:
Show quoted text
> On 18 Dec 2018, at 16:31, Greg Hudson via RT <rt-comment@krbdev-prod-app-1.mit.edu> wrote:
>
> This is probably fixed by commit
> 49bb627fed70c5258c151c5135ac3d95ed1ee55d ("Don't include all MEMORY
> ccaches in collection"), which first appears in the forthcoming release
> 1.17.

Hi Greg,

Thanks for this - I can confirm this fixes the issue.

Toby


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.