[37708] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (tseegerkrb)
Tue Sep 27 03:41:03 2016
To: Russ Allbery <eagle@eyrie.org>, tseegerkrb <tseegerkrb@gmail.com>
From: tseegerkrb <tseegerkrb@gmail.com>
Message-ID: <eb75c622-9451-d0de-5e0a-5a1802570d6e@gmail.com>
Date: Tue, 27 Sep 2016 09:40:45 +0200
MIME-Version: 1.0
In-Reply-To: <87mvj1dtab.fsf@hope.eyrie.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 21.09.2016 20:03, Russ Allbery wrote:
> tseegerkrb <tseegerkrb@gmail.com> writes:
>
>> Thanks for your help. Is my setup so special (kerberos/OpenLDAP/sssd/sshd)
>> nobody using it? I think i will ask debian/ubuntu or the openssh
>> maintainer for help.
> It's sadly quite unusual to use non-FILE ticket caches. I wish it
> weren't, since KEYRING has nice security properties, but it's relatively
> new and the rest of the world has definitely not adapted yet.
>
Maybe i got an other problem cause if i connect from a client without a
ticket i get (after i enter my password) a ticket and it use the
KEYRING:persistent cache. KRB5CCNAME is set to the KEYRING:persistent
and i can ssh to the next box without entering my password again, but
then it use the file based ticket cache...
An other problem is that i can not use user@REALM to ssh to the next box
without a password. If use "kinit user@REALM" i get a ticket, but if i
then "ssh -l user@REALM mybox" it ask for the password again. But if i
just use "ssh -l user mybox" it connects without the password.
Any idea where i should search for the failure?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos