How does the NFS client find a users tickets in a filesystem?

moritz.willers@ubs.com moritz.willers at ubs.com
Mon Sep 15 04:44:59 EDT 2014


Wendy,

rpc.gssd on Linux looks in /tmp for files which start with krb5cc. The
location where rpc.gssd is looking can be overridden with the -d option.

- mo

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Wendy Lin
Sent: 15 September 2014 08:44
To: Frank Cusack
Cc: <kerberos at mit.edu>
Subject: Re: How does the NFS client find a users tickets in a
filesystem?

On 14 September 2014 23:46, Frank Cusack <frank at linetwo.net> wrote:
> On Fri, Sep 12, 2014 at 8:53 AM, Wendy Lin <wendlin1974 at gmail.com>
wrote:
>> How does the NFS client (say, Linux and AIX) find a users krb5 
>> tickets in the filesystem? Does /sbin/mount forward the ticket to
rpc.gssd?
>>
> There's a so-called 'upcall' mechanism in the filesystem.  rpc.gssd 
> gets requests from the nfs client through that and sends the answers 
> through the same mechanism.  It's very patchwork IMHO.
>
> /sbin/mount and mounts_nfs per se have no knowledge of this 
> authentication backdoor.

How does rpc.gssd find the tickets? They can be anywhere, as defined by
the KRB5CCNAME variable in the user's environment.

Wendy

>
>>
>> Wendy
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>



--
Wendy
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Visit our website at http://www.ubs.com 

This message contains confidential information and is intended only 
for the individual named. If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. 

E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission. 
If verification is required please request a hard-copy version. This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments. 

UBS Limited is authorised by the Prudential Regulation Authority 
and regulated by the Financial Conduct Authority and the Prudential 
Regulation Authority.

UBS AG is a public company incorporated with limited liability in
Switzerland domiciled in the Canton of Basel-City and the Canton of
Zurich respectively registered at the Commercial Registry offices in
those Cantons with new Identification No: CHE-101.329.561 as from 18
December 2013 (and prior to 18 December 2013 with Identification
No: CH-270.3.004.646-4) and having respective head offices at
Aeschenvorstadt 1, 4051 Basel and Bahnhofstrasse 45, 8001 Zurich,
Switzerland and is authorised and regulated by the Financial Market
Supervisory Authority in Switzerland.  Registered in the United
Kingdom as a foreign company with No: FC021146 and having a UK
Establishment registered at Companies House, Cardiff, with
No: BR 004507.  The principal office of UK Establishment: 1 Finsbury
Avenue, London EC2M 2PP.  In the United Kingdom, UBS AG is authorised
by the Prudential Regulation Authority and subject to regulation
by the Financial Conduct Authority and limited regulation by the
Prudential Regulation Authority.  Details about the extent of our
regulation by the Prudential Regulation Authority are available
from us on request.

UBS reserves the right to retain all messages. Messages are protected 
and accessed only in legally justified cases. 



More information about the Kerberos mailing list