From nobody@FreeBSD.org  Mon Oct  4 23:29:41 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D1A6116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Oct 2004 23:29:41 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4C8143D41
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Oct 2004 23:29:41 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i94NTf8l039945
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 4 Oct 2004 23:29:41 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i94NTfCd039943;
	Mon, 4 Oct 2004 23:29:41 GMT
	(envelope-from nobody)
Message-Id: <200410042329.i94NTfCd039943@www.freebsd.org>
Date: Mon, 4 Oct 2004 23:29:41 GMT
From: Peter Losher <Peter_Losher@isc.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ssh.com port startup script needs to invoke 'env -i' before calling up sshd.
X-Send-Pr-Version: www-2.3

>Number:         72339
>Category:       ports
>Synopsis:       security/ssh2 port startup script needs to invoke 'env -i' before calling up sshd.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    marius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 04 23:30:21 GMT 2004
>Closed-Date:    Sun Feb 19 23:04:03 GMT 2006
>Last-Modified:  Sun Feb 19 23:04:03 GMT 2006
>Originator:     Peter Losher
>Release:        5.3-BETA3
>Organization:
ISC
>Environment:
FreeBSD tardis.isc.org 5.3-BETA3 FreeBSD 5.3-BETA3 #10: Sun Sep  5 21:25:58 PDT 2004     plosher@tardis.isc.org:/usr/obj/usr/src/sys/CONSOLE  i386
 
>Description:
For those of us running the ssh.com port with Krb5 support, we need 'env -i' invoked before sshd so that it doesn't inherit a KRB5CCNAME environment variable from the shell.  Not doing this causes problems with the ticket cache which is an issue with ksu, among other things.  In fact sshd shouldn't inherit any environment variables, imo.
>How-To-Repeat:
Run a system w/ MIT Kerberos & ssh.com's ssh2 from /usr/ports w/ Kerberos support enabled. and have more then two people try and ksu on the same system and you will get a 'Error in permissions opening credenials cache'.
>Fix:
Enclosed is a patch for the startup script so that it calls 'env -i' before calling sshd.

-=-
--- sshd2.sh.orig       Thu Sep  9 20:48:53 2004
+++ sshd2.sh    Thu Sep  9 20:49:01 2004
@@ -35,7 +35,7 @@
 case "$1" in
   start)
        # Start daemons.
-       ${SBINDIR}/sshd2 2> /dev/null
+       env -i ${SBINDIR}/sshd2 2> /dev/null
        echo -n ' sshd2'
        ;;
   stop)
-=-
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->marius 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Oct 5 02:38:07 GMT 2004 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72339 

From: Marius Strobl <marius@alchemy.franken.de>
To: freebsd-gnats-submit@FreeBSD.org, Peter_Losher@isc.org
Cc:  
Subject: Re: ports/72339: security/ssh2 port startup script needs to invoke 'env -i' before calling up sshd.
Date: Sat, 1 Jan 2005 21:12:37 +0100

 Sorry for the late reply.
 
 Starting sshd with 'env -i' is not a good idea in general as sshd
 obtains things like the timezone, debugging options for malloc(3)
 and sshd specific ones etc. via the environment.
 Moreover, sshd explicitly inherits the KRB5CCNAME environment
 variable in ssh_session_init_env() if either compiled with Kerberos
 support or on AIX. I'm not sure why this is done; as far as I could
 find out this only should be done on AIX when not using Kerberos
 but I'm not absolutely sure about this.
 Anyway, inheriting KRB5CCNAME at that point shouldn't hurt as sshd
 will later set up an unique KRB5CCNAME for the specific session and
 user in ssh_user_become_generic() if there's a TGT.
 As I don't know much about Kerberos and you didn't say what the
 KRB5CCNAME sshd sets up looks like (e.g. is it exactly set to the
 same as in the shell starting sshd?) I can't follow what's the
 real problem here.
 Could you please check what KRB5CCNAME is set to once a user is
 logged in via ssh? It should have the format:
 "FILE:/tmp/krb5cc_p<username><client_sshd_pid>"
 Could you please also start sshd with the '-v' option (sshd will
 stay in foreground) and check its output when logging in? It
 should also emit Kerberos related debugging output and "Placing
 ticket cache KRB5CCNAME=<...> into environment" or otherwise info
 about problems with the TGT.
 There's also the small chance that I'm overlooking something and
 your problems are caused by the local patches in the port. Could
 you therefore please give the port a try when built without the
 patches-*.c and without your work-around?
 
 Marius
 
State-Changed-From-To: open->closed 
State-Changed-By: marius 
State-Changed-When: Sun Feb 19 23:02:43 UTC 2006 
State-Changed-Why:  

Close due to feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72339 
>Unformatted:
