KRB5CCNAME and sshd

Douglas E. Engert deengert at anl.gov
Mon Jan 30 10:20:21 EST 2006 


Victor Sudakov wrote:
> "Douglas E. Engert" wrote:
> 
>>>I have "GSSAPIAuthentication yes" in sshd_config on the server machine
>>>and in ssh_config on the client machine.
>>>
>>>Each time I ssh into the server machine, the value of KRB5CCNAME
>>>(probably set by sshd) is different. Is there a way to keep it 
>>>the same every time I login?
>>
>>Not really. Most people want session bassed credential cashes,
>>so that multiple sessions on the same machine do not interfere with
>>each other. SSH will delete the session cache at the end of a session
>>if it created it.
>>
>>But then again you might want be able to refressh credentials,
>>in your other sessions. This could be done manually by replacing
>>the UID based common cache and unsetting the KRB5CCNAME set by sshd.
>>But don't destory the shared cache. Watch out for console logins
>>that ususlly use the default cache name.
> 
> 
> I will tell you what I am trying to achieve, perhaps you can give me
> advice. 
> 
> I "kinit -f" on the client box at home and then ssh to the server box
> at work.  On the server box, I have screen(1) running, which I
> reattach after login and detach before logout. It runs for weeks and
> even months on end.
> 
> You know that all screen "sessions" or "windows" inherit the
> environment variables from the shell where screen was started
> initially. So, $KRB5CCNAME in the screen "sessions" points to stale
> credential caches, even though the fresh credentials have been
> correctly forwarded from the client machine and are available in some
> new place (but there is no way to inform the applications within
> screen about this new place).
> 
> I would like to achieve that if my credentials have been forwarded to
> the server box, they should be refreshed in all the screen windows.

As Donn and Russ have made some good comments. AS you might realize by now
that this is not an easy problem to solve, as there are outstanding issues.

The point being that the krb libs will look for KRB5CCNAME if present
and if not use the default name of krb5cc_<uid>  Since all your processes are
running under the same uid, you can manipulate all of your file caches from
any of your processes.

But the above may only work for file based credentials. If you are using AFS
or NFSv4 there are other issues, as the sessions may be in separate
Process Authentication Groups. Some process in the PAG may have to
use the new credentials to refresh the credentials in the kernel (AFS token)
for example. So each session may need a process that notices the ticket
cache has been updated, then gets the new AFS token. I believe Standford
has a program to do this for AFS.

If one of you sessions uses ssh to connect to a third system,
you may want to forward credentials to that system as well.



> 
>>>The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
>>>
>>>I am running OpenSSH 3.8.1 on FreeBSD 5.x
>>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list