This is my first bug report, request you to correct me if necessary. For a non root user, When ChallengeResponse is used with PAM_Kerberos and UsePrivilegeSeparation=yes, sshd creates two credential files in /tmp, and at the end of the session only one is removed $ssh system1 . . $ ps -ef | grep ssh root 170 1 0 14:01:58 ? 0:00 /opt/ssh/sbin/sshd test 245 243 0 14:03:41 ? 0:00 sshd: test@pts/0 test 242 225 0 14:03:39 pts/tb 0:00 ssh system1 root 243 170 0 14:03:39 ? 0:02 sshd: test [priv] $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_170_243 -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 Env KRB5CCNAME is set to KRB5CCNAME=FILE:/tmp/krb5cc_243_245 On closing the session,the cache file corresponding to the nonpriv process is not removed. $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 I have tested this on hpux but believe the same behaviour on other OS as well. Probable fix is to change the condition in sshpam_cleanup(void)/auth-pam.c < if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) --- > if (sshpam_handle == NULL && (use_privsep && !mm_is_monitor()))
I don't think the proposed fix is correct - it would allow sshpam_cleanup() to run with a NULL pam handle and probably SEGV when it makes its first PAM call. Perhaps we should relax the !mm_is_monitor() check somehow though. Maybe we could add a new monitor call to run the PAM cleanup as root?
Right, I overlooked the Null Pam handle. Wouldn't relaxing the mm_is_monitor and only checking for privsep work if (sshpam_handle == NULL && use_privsep)