Under AIX, if you restart sshd as root while you have KRB5CCNAME set in root's environment (typical after 'ksu'ing), the value of KRB5CCNAME will be inherited by all connecting clients. The code that causes this inheritance is in session.c. Darren Tucker on the openssh-unix-dev mailling list thinks this is due to how AIX's authenticate() function works (seen in auth-passwd.c). As a result, the correct fix would be to unset KRB5CCNAME from the environment at the start. Unfortunately, unsetenv() isn't a standard call on AIX systems. I will attach a patch that fixes this problem.
Created attachment 497 [details] unsets KRB5CCNAME at the beginning of main() in sshd.c
Created attachment 498 [details] Add unsetenv() to openbsd-compat This bit: strncmp(*curenv, krbccenv, strlen(krbccenv)) == 0 will match env variables longer than 10 chars where the first 10 are "KRB5CCNAME". AIX 5.2, at least, has an unsetenv(), so I think we should use it where possible, and add one to openbsd-compat for versions that don't have it.
Created attachment 517 [details] Clear child's environment Please try this patch, which clears the child's entire environment.
Created attachment 520 [details] Clear daemon's environment at startup The patch in attachment #517 [details] probably won't work as it clear's the wrong environment. Please try this patch, which works for me if I manually set KRB5CCNAME before starting sshd.
Yup, patch #520 works great in my tests. Are there plans to merge this into the OpenSSH portable tree?
Comment on attachment 520 [details] Clear daemon's environment at startup >+ >+ /* Clear environment */ >+ environ[0] = NULL; hm, I think that cygwin may need to preserve some environment vars, so this needs to be !HAVE_CYGWIN at least.
This has now been fixed, thanks for the report. - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent accidentally inheriting from root's environment. ok djm@
Mass change of RESOLVED bugs to CLOSED