[Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Christian Ehrhardt
1889548 at bugs.launchpad.net
Tue Aug 4 07:22:35 UTC 2020
Hi Toby,
It seems that is an ongoing topic for years, I've found this discussed
from the KRB POV [1] and on openssh [2]. Especially following [1] it
seems things aren't too easy but there are a few workarounds/hints that
might or might not help your use case.
In general having this configurable instead of hard-coded in ssh sounds
right to me, but would then be an upstream feature request that you
could report at [3]. If you happen to do so it would be awesome to
report the ID back here so that we can link the bugs and track what
upstream thinks/says about it.
One thing thou - you write explicitly "to a 20.04 machine" is that behavior in any way a regression to the former versions?
[1]: http://kerberos.996246.n3.nabble.com/KRB5CCNAME-and-sshd-td13395.html
[2]: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033217.html
[3]: https://bugzilla.mindrot.org/show_bug.cgi
** Changed in: openssh (Ubuntu)
Status: New => Confirmed
** Changed in: openssh (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
More information about the foundations-bugs
mailing list