Bug 2204

Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox
Product: Portable OpenSSH Reporter: Georg Hopp <georg>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED DUPLICATE    
Severity: minor CC: djm
Priority: P5    
Version: 6.4p1   
Hardware: amd64   
OS: Linux   

Description Georg Hopp 2014-02-23 04:34:08 AEDT 
Authentication with gssapi-with-mic does not work when
using privilegeSeparation sandbox.

Howto reproduce:

- Use openssh in a kerborized environment.
- activate authentication with gssapi
- activate UsePrivilegeSeparation sandbox
- try to login with a TGT.

Result:

The sshd simply drops the connection without any information
about what happened.

Expected result:

If possible a succesfull login or if not at least when turning
on debugging an information why the login failed.

Additional information:

When doing an strace with the sshd I can't find even an evidence
that the krb5.keytab is tried to beloaded. I guess that sandbox
created some kind of chroot which prevents gssapi from reading
this file at all. Maybe it is possible to initialize the gssapi
before the sandbox is initialized but if that is not possible there
should be at least an information what has happened.

best regards
   Georg Hopp
Comment 1 Damien Miller 2014-02-24 10:34:21 AEDT 
I'm pretty sure that this is bug #2107 - please try the latest patch there.

*** This bug has been marked as a duplicate of bug 2107 ***
Comment 2 Damien Miller 2015-08-11 23:02:52 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1