[Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Christian Ehrhardt
1889548 at bugs.launchpad.net
Fri Aug 7 05:58:26 UTC 2020
Due to that hint with SciLinux I have fetched
http://ftp.scientificlinux.org/linux/scientific/7.8/SRPMS/vendor/openssh-7.4p1-21.el7.src.rpm
I can't see it but that is https://bugzilla.redhat.com/show_bug.cgi?id=991186
I can see follow on issues referring to it https://bugzilla.redhat.com/show_bug.cgi?id=1161073 thou.
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
The patch is not/no-more in https://git.centos.org/rpms/openssh/blob/c8/f/SOURCES
But in https://git.centos.org/rpms/openssh/blob/c7/f/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch
That is suspicious, there must be a reason it is gone right?
Maybe it was hard to maintain or somewhat bad and they only could drop it on the major version change.
In the v8 spec I find:
# Improve ccache handling in openssh (#991186, #1199363, #1566494)
# https://bugzilla.mindrot.org/show_bug.cgi?id=2775
Patch804: openssh-7.7p1-gssapi-new-unique.patch
# Respect k5login_directory option in krk5.conf (#1328243)
Patch805: openssh-7.2p2-k5login_directory.patch
FYI navigate from here
https://git.centos.org/rpms/openssh/blob/c8/f/SPECS/openssh.spec
I'm not sure on this, but maybe carrying more of the RH sauce back to upstream might help.
Definitely activity on the new or old upstream bug will be needed.
Keep us in the loop here what happens.
** Bug watch added: Red Hat Bugzilla #991186
https://bugzilla.redhat.com/show_bug.cgi?id=991186
** Bug watch added: Red Hat Bugzilla #1161073
https://bugzilla.redhat.com/show_bug.cgi?id=1161073
** Bug watch added: OpenSSH Portable Bugzilla #2775
https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
More information about the foundations-bugs
mailing list