[37687] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 19 12:23:37 2016
From: Russ Allbery <eagle@eyrie.org>
To: tseegerkrb <tseegerkrb@gmail.com>
In-Reply-To: <666c0330-db6b-4b50-d3ba-89ac449a9c98@gmail.com>
(tseegerkrb@gmail.com's message of "Mon, 19 Sep 2016 09:04:26 +0200")
Date: Mon, 19 Sep 2016 09:23:16 -0700
Message-ID: <87eg4fuadn.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
tseegerkrb <tseegerkrb@gmail.com> writes:
> I think the sshd daemon do not honor the "default_ccache_name" and uses
> the default file format.
I'm pretty sure you're correct if you're doing GSS-API authentication with
ssh. Looking at the source code to sshd, you don't seem to get much
choice in the matter:
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
# endif
[...]
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
#ifdef USE_CCAPI
snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
#else
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
#endif
You'd need to write a PAM module that read in that ticket cache file and
wrote it back out to your preferred ticket cache format and then adjusted
KRB5CCNAME in the user's environment. Unfortunately, there doesn't appear
to be any way of preventing the ticket cache from being temporarily
written to /tmp.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos