KRB5CCNAME and sshd

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Fri Jan 27 11:50:16 EST 2006


"Douglas E. Engert" wrote:
>> 
>> I have "GSSAPIAuthentication yes" in sshd_config on the server machine
>> and in ssh_config on the client machine.
>> 
>> Each time I ssh into the server machine, the value of KRB5CCNAME
>> (probably set by sshd) is different. Is there a way to keep it 
>> the same every time I login?
> 
> Not really. Most people want session bassed credential cashes,
> so that multiple sessions on the same machine do not interfere with
> each other. SSH will delete the session cache at the end of a session
> if it created it.
> 
> But then again you might want be able to refressh credentials,
> in your other sessions. This could be done manually by replacing
> the UID based common cache and unsetting the KRB5CCNAME set by sshd.
> But don't destory the shared cache. Watch out for console logins
> that ususlly use the default cache name.

I will tell you what I am trying to achieve, perhaps you can give me
advice. 

I "kinit -f" on the client box at home and then ssh to the server box
at work.  On the server box, I have screen(1) running, which I
reattach after login and detach before logout. It runs for weeks and
even months on end.

You know that all screen "sessions" or "windows" inherit the
environment variables from the shell where screen was started
initially. So, $KRB5CCNAME in the screen "sessions" points to stale
credential caches, even though the fresh credentials have been
correctly forwarded from the client machine and are available in some
new place (but there is no way to inform the applications within
screen about this new place).

I would like to achieve that if my credentials have been forwarded to
the server box, they should be refreshed in all the screen windows.
> 
>> 
>> The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
>> 
>> I am running OpenSSH 3.8.1 on FreeBSD 5.x
>> 
> 

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list