KEYRING:persistent and ssh
Russ Allbery
eagle at eyrie.org
Mon Sep 19 12:23:16 EDT 2016
tseegerkrb <tseegerkrb at gmail.com> writes:
> I think the sshd daemon do not honor the "default_ccache_name" and uses
> the default file format.
I'm pretty sure you're correct if you're doing GSS-API authentication with
ssh. Looking at the source code to sshd, you don't seem to get much
choice in the matter:
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
# endif
[...]
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
#ifdef USE_CCAPI
snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
#else
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
#endif
You'd need to write a PAM module that read in that ticket cache file and
wrote it back out to your preferred ticket cache format and then adjusted
KRB5CCNAME in the user's environment. Unfortunately, there doesn't appear
to be any way of preventing the ticket cache from being temporarily
written to /tmp.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list