KRB5CCNAME and sshd

[Victor Sudakov]

Donn Cave wrote:
>> I will tell you what I am trying to achieve, perhaps you can give me
>> advice. 
>> 
>> I "kinit -f" on the client box at home and then ssh to the server box
>> at work.  On the server box, I have screen(1) running, which I
>> reattach after login and detach before logout. It runs for weeks and
>> even months on end.
>> 
>> You know that all screen "sessions" or "windows" inherit the
>> environment variables from the shell where screen was started
>> initially. So, $KRB5CCNAME in the screen "sessions" points to stale
>> credential caches, even though the fresh credentials have been
>> correctly forwarded from the client machine and are available in some
>> new place (but there is no way to inform the applications within
>> screen about this new place).
>> 
>> I would like to achieve that if my credentials have been forwarded to
>> the server box, they should be refreshed in all the screen windows.
> 
> That certainly must be a manual operation.  I don't use screen,
> but I suppose you have a number of concurrent shell processes,

The applications running under screen are not necessarily shell
processes. They could be applications like a mail client, IRC client etc.

> and they are not really aware of this connect/disconnect cycle,

Correct. 

> so they have no way to know when it's time to update KRB5CCNAME.
> You must therefore enter some command, in each window, to get
> them to do that.
> 
> The command can be a simple one, if you use an alias or shell
> procedure.  Your shell startup can save the value of KRB5CCNAME
> somewhere so the old screen shell can find it.

However, a manual operation could be easily avoided if I could
persuade sshd to store the forwarded credentials always in the same
place.

For example, telnetd does not do any such fancy things with unique
KRB5CCNAME for each new login.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/