Bug 2204 - gssapi-with-mic and UsePrivilegeSeparation sandbox
Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox
Status: CLOSED DUPLICATE of bug 2107
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 6.4p1
Hardware: amd64 Linux
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-23 04:34 AEDT by Georg Hopp
Modified: 2015-08-11 23:02 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Georg Hopp 2014-02-23 04:34:08 AEDT 
Authentication with gssapi-with-mic does not work when
using privilegeSeparation sandbox.

Howto reproduce:

- Use openssh in a kerborized environment.
- activate authentication with gssapi
- activate UsePrivilegeSeparation sandbox
- try to login with a TGT.

Result:

The sshd simply drops the connection without any information
about what happened.

Expected result:

If possible a succesfull login or if not at least when turning
on debugging an information why the login failed.

Additional information:

When doing an strace with the sshd I can't find even an evidence
that the krb5.keytab is tried to beloaded. I guess that sandbox
created some kind of chroot which prevents gssapi from reading
this file at all. Maybe it is possible to initialize the gssapi
before the sandbox is initialized but if that is not possible there
should be at least an information what has happened.

best regards
   Georg Hopp
Comment 1 Damien Miller 2014-02-24 10:34:21 AEDT 
I'm pretty sure that this is bug #2107 - please try the latest patch there.

*** This bug has been marked as a duplicate of bug 2107 ***
Comment 2 Damien Miller 2015-08-11 23:02:52 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1