[Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache

Christian Ehrhardt  1889548 at bugs.launchpad.net
Tue Aug 4 07:22:35 UTC 2020 

Hi Toby,

It seems that is an ongoing topic for years, I've found this discussed
from the KRB POV [1] and on openssh [2]. Especially following [1] it
seems things aren't too easy but there are a few workarounds/hints that
might or might not help your use case.

In general having this configurable instead of hard-coded in ssh sounds
right to me, but would then be an upstream feature request that you
could report at [3]. If you happen to do so it would be awesome to
report the ID back here so that we can link the bugs and track what
upstream thinks/says about it.


One thing thou - you write explicitly "to a 20.04 machine" is that behavior in any way a regression to the former versions?

[1]: http://kerberos.996246.n3.nabble.com/KRB5CCNAME-and-sshd-td13395.html
[2]: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033217.html
[3]: https://bugzilla.mindrot.org/show_bug.cgi

** Changed in: openssh (Ubuntu)
       Status: New => Confirmed

** Changed in: openssh (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548

Title:
  ssh using gssapi will enforce FILE: credentials cache

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  ssh connections from a client with the following in ssh_config...

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

  ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
  'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
  /etc/krb5.conf:

  [libdefaults]
   ...
   default_ccache_name = KEYRING:persistent:%{uid}

  This means that we cannot enforce a policy to use KEYRING ccaches
  across our systems.  Authentications which go via the pam stack (e.g.
  login to the machine at the console or over ssh using a password) can
  be configured to use a KEYRING ccache, via libpam-krb5 settings in
  /etc/krb5.conf.

  The FILE: setting seems to be hard-coded in the openssh code (auth-
  krb5.c).  It would be great if ssh(gssapi-with-mic) connections either
  (a) set KRB5CCNAME to the default_ccache_name value, if set in
  /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
  default is used.

  Many thanks
  Toby Blake
  School of Informatics
  University of Edinburgh

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions

More information about the foundations-bugs mailing list