From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Jul 9 23:10:00 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CFB164B0 for ; Tue, 9 Jul 2013 23:10:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B40AB12B0 for ; Tue, 9 Jul 2013 23:10:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r69NA0Rn094146 for ; Tue, 9 Jul 2013 23:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r69NA0Sn094144; Tue, 9 Jul 2013 23:10:00 GMT (envelope-from gnats) Resent-Date: Tue, 9 Jul 2013 23:10:00 GMT Resent-Message-Id: <201307092310.r69NA0Sn094144@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Garrett Wollman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8D1EF41A for ; Tue, 9 Jul 2013 23:02:42 +0000 (UTC) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [IPv6:2001:470:8b2d:1e1c:21b:21ff:feb8:d7b0]) by mx1.freebsd.org (Postfix) with ESMTP id 696E61270 for ; Tue, 9 Jul 2013 23:02:42 +0000 (UTC) Received: from khavrinen.csail.mit.edu (localhost [127.0.0.1]) by khavrinen.csail.mit.edu (8.14.5/8.14.5) with ESMTP id r69N2fpw005307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL CN=khavrinen.csail.mit.edu issuer=Client+20CA) for ; Tue, 9 Jul 2013 19:02:41 -0400 (EDT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.14.5/8.14.5/Submit) id r69N2fSX005306; Tue, 9 Jul 2013 19:02:41 -0400 (EDT) (envelope-from wollman) Message-Id: <201307092302.r69N2fSX005306@khavrinen.csail.mit.edu> Date: Tue, 9 Jul 2013 19:02:41 -0400 (EDT) From: Garrett Wollman To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/180419: security/openafs-portable uses predictable ccache name X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Garrett Wollman List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 23:10:00 -0000 >Number: 180419 >Category: ports >Synopsis: security/openafs-portable uses predictable ccache name >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 09 23:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 9.1-RELEASE amd64 >Organization: MIT Computer Science & Artificial Intelligence Lab >Environment: System: FreeBSD khavrinen.csail.mit.edu 9.1-RELEASE FreeBSD 9.1-RELEASE #15 r245182: Tue Jan 8 18:09:56 EST 2013 wollman@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64 openssh-portable-6.2.p2_3,1 Name : openssh-portable Version : 6.2.p2_3,1 Origin : security/openssh-portable Prefix : /usr/local Categories : security ipv6 Maintainer : bdrewery@FreeBSD.org WWW : http://www.openssh.org/portable.html Comment : The portable version of OpenBSD's OpenSSH Options : X509 : off TCP_WRAPPERS : on SCTP : on PAM : on OVERWRITE_BASE : off MIT : on LPK : off LIBEDIT : on KERB_GSSAPI : on HPN : on HEIMDAL_BASE : off HEIMDAL : off BSM : on AES_THREADED : on Shared Libs required: libkrb5.so libk5crypto.so libgssapi_krb5.so libcom_err.so [package description elided] pam_krb5-4.6 is installed and configured in the session stack for the sshd service. >Description: Logins with delegated credentials result in the creation of a new Kerberos credential cache. This file is stored in /tmp, and is supposed to be unique for each ssh session; the name is stored in the environment variable KRB5CCNAME. At some point (I think with the upgrade to 6.2), openssh-portable stopped calling mktemp() on the ccache name, with the result that multiple ssh sessions now step on each other's credentials. For example: $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_12369_XXXXXXXXXX) This session should still have a ccache (I haven't run kdestroy), but the file was deleted when another ssh session on the same server exited. I'm fairly certain that this is coming from the openssh side rather than pam_krb5 because an inspection of the pam_krb5 source code reveals that it always uses a six-X template for the ccache file, and the actual ccache name used has ten X's. >How-To-Repeat: ssh to some server with delegated credentials. Run klist, note that the ccache name looks like an un-randomized mktemp(3) template. Run another ssh in parallel and note that it is exactly the same. >Fix: ??? >Release-Note: >Audit-Trail: >Unformatted: