[krbdev.mit.edu #8895] ksu broken on 1.18
Garrett Wollman via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Sun Apr 5 23:42:38 EDT 2020
Sun Apr 05 23:42:38 2020: Request 8895 was acted upon.
Transaction: Ticket created by wollman at bimajority.org
Queue: krb5
Subject: ksu broken on 1.18
Owner: Nobody
Requestors: wollman at bimajority.org
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8895 >
The change described thusly in the release notes:
setuid programs will automatically ignore environment
variables that normally affect krb5 API functions, even if the
caller does not use krb5_init_secure_context().
breaks ksu when run in an ssh session (either interactively, or, e.g.,
by ansible). ssh creates separate ccaches for each session and sets
KRB5CCNAME accordingly; ignoring the process environment causes ksu to
look at the nonexistent default ccache and conclude that the user
needs to enter a password to authenticate.
-GAWollman
More information about the krb5-bugs
mailing list