KEYRING:persistent and ssh
tseegerkrb
tseegerkrb at gmail.com
Tue Sep 27 03:40:45 EDT 2016
On 21.09.2016 20:03, Russ Allbery wrote:
> tseegerkrb <tseegerkrb at gmail.com> writes:
>
>> Thanks for your help. Is my setup so special (kerberos/OpenLDAP/sssd/sshd)
>> nobody using it? I think i will ask debian/ubuntu or the openssh
>> maintainer for help.
> It's sadly quite unusual to use non-FILE ticket caches. I wish it
> weren't, since KEYRING has nice security properties, but it's relatively
> new and the rest of the world has definitely not adapted yet.
>
Maybe i got an other problem cause if i connect from a client without a
ticket i get (after i enter my password) a ticket and it use the
KEYRING:persistent cache. KRB5CCNAME is set to the KEYRING:persistent
and i can ssh to the next box without entering my password again, but
then it use the file based ticket cache...
An other problem is that i can not use user at REALM to ssh to the next box
without a password. If use "kinit user at REALM" i get a ticket, but if i
then "ssh -l user at REALM mybox" it ask for the password again. But if i
just use "ssh -l user mybox" it connects without the password.
Any idea where i should search for the failure?
More information about the Kerberos
mailing list