KEYRING:persistent and ssh
tseegerkrb
tseegerkrb at gmail.com
Wed Sep 21 02:15:08 EDT 2016
Thanks for your help. Is my setup so special
(kerberos/OpenLDAP/sssd/sshd) nobody using it? I think i will ask
debian/ubuntu or the openssh maintainer for help.
On 19.09.2016 18:23, Russ Allbery wrote:
> tseegerkrb <tseegerkrb at gmail.com> writes:
>
>> I think the sshd daemon do not honor the "default_ccache_name" and uses
>> the default file format.
> I'm pretty sure you're correct if you're doing GSS-API authentication with
> ssh. Looking at the source code to sshd, you don't seem to get much
> choice in the matter:
>
> # ifdef HAVE_KRB5_CC_NEW_UNIQUE
> problem = krb5_cc_new_unique(authctxt->krb5_ctx,
> krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
> # else
> problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
> &authctxt->krb5_fwd_ccache);
> # endif
>
> [...]
>
> authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
>
> len = strlen(authctxt->krb5_ticket_file) + 6;
> authctxt->krb5_ccname = xmalloc(len);
> #ifdef USE_CCAPI
> snprintf(authctxt->krb5_ccname, len, "API:%s",
> authctxt->krb5_ticket_file);
> #else
> snprintf(authctxt->krb5_ccname, len, "FILE:%s",
> authctxt->krb5_ticket_file);
> #endif
>
> You'd need to write a PAM module that read in that ticket cache file and
> wrote it back out to your preferred ticket cache format and then adjusted
> KRB5CCNAME in the user's environment. Unfortunately, there doesn't appear
> to be any way of preventing the ticket cache from being temporarily
> written to /tmp.
>
More information about the Kerberos
mailing list