[37694] in Kerberos

home help back first fref pref prev next nref lref last post

Re: KEYRING:persistent and ssh

daemon@ATHENA.MIT.EDU (tseegerkrb)
Wed Sep 21 02:15:32 2016

To: Russ Allbery <eagle@eyrie.org>
From: tseegerkrb <tseegerkrb@gmail.com>
Message-ID: <db3e2efa-b07b-8c6b-7c40-913688ea31fa@gmail.com>
Date: Wed, 21 Sep 2016 08:15:08 +0200
MIME-Version: 1.0
In-Reply-To: <87eg4fuadn.fsf@hope.eyrie.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Thanks for your help. Is my setup so special 
(kerberos/OpenLDAP/sssd/sshd) nobody using it? I think i will ask 
debian/ubuntu or the openssh maintainer for help.


On 19.09.2016 18:23, Russ Allbery wrote:
> tseegerkrb <tseegerkrb@gmail.com> writes:
>
>> I think the sshd daemon do not honor the "default_ccache_name" and uses
>> the default file format.
> I'm pretty sure you're correct if you're doing GSS-API authentication with
> ssh.  Looking at the source code to sshd, you don't seem to get much
> choice in the matter:
>
> # ifdef HAVE_KRB5_CC_NEW_UNIQUE
>          problem = krb5_cc_new_unique(authctxt->krb5_ctx,
>               krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
> # else
>          problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
>              &authctxt->krb5_fwd_ccache);
> # endif
>
> [...]
>
>          authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
>
>          len = strlen(authctxt->krb5_ticket_file) + 6;
>          authctxt->krb5_ccname = xmalloc(len);
> #ifdef USE_CCAPI
>          snprintf(authctxt->krb5_ccname, len, "API:%s",
>              authctxt->krb5_ticket_file);
> #else
>          snprintf(authctxt->krb5_ccname, len, "FILE:%s",
>              authctxt->krb5_ticket_file);
> #endif
>
> You'd need to write a PAM module that read in that ticket cache file and
> wrote it back out to your preferred ticket cache format and then adjusted
> KRB5CCNAME in the user's environment.  Unfortunately, there doesn't appear
> to be any way of preventing the ticket cache from being temporarily
> written to /tmp.
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post