[37712] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (t Seeger)
Wed Sep 28 07:43:14 2016
Mime-Version: 1.0 (1.0)
From: t Seeger <tseegerkrb@gmail.com>
In-Reply-To: <CAH5-_XNciORghCcUszfm33ASb53YLiod5GiXkECqmo+kgdxxcg@mail.gmail.com>
Date: Wed, 28 Sep 2016 13:42:55 +0200
Message-Id: <A52B5638-0587-4B58-AC06-435BA9B608EF@gmail.com>
To: Tina Harriott <tina.harriott.math@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On 27 Sep 2016, at 15:20, Tina Harriott <tina.harriott.math@gmail.com> wrote:
>
>> On 16 September 2016 at 16:02, t Seeger <tseegerkrb@gmail.com> wrote:
>> Hello,
>>
>> i have a little problem with the 'KRB5CCNAME' environment variable. I set
>> the default_ccache_name to KEYRING:persistent:%{uid} but if i login it is
>> set to "file:/tmp/krb5cc_${uid}_XXXXXXXXXX" cause ssh sets the KRB5CCNAME
>> to file:/tmp/krb5cc_${uid}_XXXXXXXXXX...
>> I found a workaround with adding "unset KRB5CCNAME" to /etc/bash.bashrc but
>> this is not very nice.
>> Did anyone had a similar problem and found a solution?
>>
>> Many thanks in advance and best regards
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> FYI KEYRING: will be removed in future versions of Linux kernel
> because of the ongoing design defects.
> Also, KEYRING is not secure, under certain scenarios (DOCKER&et al)
> unrelated users/uids can obtain the secure data.
>
> Tina
> --
> Tina Harriott - Women in Mathematics
> Contact: tina.harriott.math@gmail.com
Thank you for your replay. I have two questions. First can you tell me what is the best practice way to store the credential cache and second where can I find more informations about the plan to remove the KEYRING from the kernel?
Thorsten
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
