ports/180419: security/openafs-portable uses predictable ccache name

Tue Jul 9 23:10:00 UTC 2013

>Number:         180419
>Category:       ports
>Synopsis:       security/openafs-portable uses predictable ccache name
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 09 23:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Garrett Wollman
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
MIT Computer Science & Artificial Intelligence Lab
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 9.1-RELEASE FreeBSD 9.1-RELEASE #15 r245182: Tue Jan 8 18:09:56 EST 2013 wollman at khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64

openssh-portable-6.2.p2_3,1
Name           : openssh-portable
Version        : 6.2.p2_3,1
Origin         : security/openssh-portable
Prefix         : /usr/local
Categories     : security ipv6
Maintainer     : bdrewery at FreeBSD.org
WWW            : http://www.openssh.org/portable.html
Comment        : The portable version of OpenBSD's OpenSSH
Options        :
        X509           : off
        TCP_WRAPPERS   : on
        SCTP           : on
        PAM            : on
        OVERWRITE_BASE : off
        MIT            : on
        LPK            : off
        LIBEDIT        : on
        KERB_GSSAPI    : on
        HPN            : on
        HEIMDAL_BASE   : off
        HEIMDAL        : off
        BSM            : on
        AES_THREADED   : on
Shared Libs required:
        libkrb5.so
        libk5crypto.so
        libgssapi_krb5.so
        libcom_err.so

[package description elided]

pam_krb5-4.6 is installed and configured in the session stack for the
sshd service.

>Description:

Logins with delegated credentials result in the creation of a new
Kerberos credential cache.  This file is stored in /tmp, and is
supposed to be unique for each ssh session; the name is stored in the
environment variable KRB5CCNAME.

At some point (I think with the upgrade to 6.2), openssh-portable
stopped calling mktemp() on the ccache name, with the result that
multiple ssh sessions now step on each other's credentials.  For
example:

$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_12369_XXXXXXXXXX)

This session should still have a ccache (I haven't run kdestroy), but
the file was deleted when another ssh session on the same server
exited.

I'm fairly certain that this is coming from the openssh side rather
than pam_krb5 because an inspection of the pam_krb5 source code
reveals that it always uses a six-X template for the ccache file, and
the actual ccache name used has ten X's.

>How-To-Repeat:

ssh to some server with delegated credentials.  Run klist, note that
the ccache name looks like an un-randomized mktemp(3) template.  Run
another ssh in parallel and note that it is exactly the same.

>Fix:

???
>Release-Note:
>Audit-Trail:
>Unformatted: