[Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache

Toby Blake 1889548 at bugs.launchpad.net
Mon Aug 10 14:34:42 UTC 2020 

Hi Christian,

Again, thanks for the above.

https://bugzilla.mindrot.org/show_bug.cgi?id=2775, in particular, looks
interesting, as it seems to be an attempt to bring the relevant ccache
patches up to date for version 8.  e.g. we have been patching our SL
systems additionally for
https://bugzilla.redhat.com/show_bug.cgi?id=1199363.

I'll give this a try and report back.  I'll hold off on reporting this
as a bug upstream until I've tried the patch(es).

Cheers
Toby


** Bug watch added: Red Hat Bugzilla #1199363
   https://bugzilla.redhat.com/show_bug.cgi?id=1199363

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548

Title:
  ssh using gssapi will enforce FILE: credentials cache

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  ssh connections from a client with the following in ssh_config...

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

  ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
  'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
  /etc/krb5.conf:

  [libdefaults]
   ...
   default_ccache_name = KEYRING:persistent:%{uid}

  This means that we cannot enforce a policy to use KEYRING ccaches
  across our systems.  Authentications which go via the pam stack (e.g.
  login to the machine at the console or over ssh using a password) can
  be configured to use a KEYRING ccache, via libpam-krb5 settings in
  /etc/krb5.conf.

  The FILE: setting seems to be hard-coded in the openssh code (auth-
  krb5.c).  It would be great if ssh(gssapi-with-mic) connections either
  (a) set KRB5CCNAME to the default_ccache_name value, if set in
  /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
  default is used.

  Many thanks
  Toby Blake
  School of Informatics
  University of Edinburgh

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions

More information about the foundations-bugs mailing list