[Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache

[Andreas Hasenack]

** Also affects: openssh via
   https://bugzilla.mindrot.org/show_bug.cgi?id=3203
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548

Title:
  ssh using gssapi will enforce FILE: credentials cache

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  ssh connections from a client with the following in ssh_config...

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

  ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
  'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
  /etc/krb5.conf:

  [libdefaults]
   ...
   default_ccache_name = KEYRING:persistent:%{uid}

  This means that we cannot enforce a policy to use KEYRING ccaches
  across our systems.  Authentications which go via the pam stack (e.g.
  login to the machine at the console or over ssh using a password) can
  be configured to use a KEYRING ccache, via libpam-krb5 settings in
  /etc/krb5.conf.

  The FILE: setting seems to be hard-coded in the openssh code (auth-
  krb5.c).  It would be great if ssh(gssapi-with-mic) connections either
  (a) set KRB5CCNAME to the default_ccache_name value, if set in
  /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
  default is used.

  Many thanks
  Toby Blake
  School of Informatics
  University of Edinburgh

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1889548/+subscriptions