[37713] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (Simo Sorce)
Wed Sep 28 09:15:58 2016
Message-ID: <1475068541.3612.74.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Tina Harriott <tina.harriott.math@gmail.com>
Date: Wed, 28 Sep 2016 09:15:41 -0400
In-Reply-To: <CAH5-_XNciORghCcUszfm33ASb53YLiod5GiXkECqmo+kgdxxcg@mail.gmail.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2016-09-27 at 15:20 +0200, Tina Harriott wrote:
> On 16 September 2016 at 16:02, t Seeger <tseegerkrb@gmail.com> wrote:
> > Hello,
> >
> > i have a little problem with the 'KRB5CCNAME' environment variable. I set
> > the default_ccache_name to KEYRING:persistent:%{uid} but if i login it is
> > set to "file:/tmp/krb5cc_${uid}_XXXXXXXXXX" cause ssh sets the KRB5CCNAME
> > to file:/tmp/krb5cc_${uid}_XXXXXXXXXX...
> > I found a workaround with adding "unset KRB5CCNAME" to /etc/bash.bashrc but
> > this is not very nice.
> > Did anyone had a similar problem and found a solution?
> >
> > Many thanks in advance and best regards
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> FYI KEYRING: will be removed in future versions of Linux kernel
> because of the ongoing design defects.
Could you please provide the source of this rumor ?
As far as I know this statement is false.
> Also, KEYRING is not secure, under certain scenarios (DOCKER&et al)
> unrelated users/uids can obtain the secure data.
We are working upstream to properly namespace the keyring too, once done
the container's case will be addressed too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
