KEYRING:persistent and ssh

Charles Hedrick hedrick at rutgers.edu
Tue Apr 7 10:24:52 EDT 2020


we use a pam module that normalizes the credential cache. If krb5.conf asks for KEYRING and sshd leaves the cache in /tmp, the code moves it into KEYRING and updates KRB5CCNAME.

I really like KEYRING. Our staff have multiple principals. With a collection, kinit will create a new cache in the collection without disrupting the old one, so kswitch can take you back. We use two-factor, so we’d rather not have to get new credentials.

However there’s a gotcha. Kerberized NFS uses (by default) the currently selected principal. So for a collection to be useful, we also have a ccselect plugin to make sure that NFS (actually rpc.gssd) always gets the right principal from the collection.


> On Mar 5, 2020, at 11:44:47 PM, abdullahrao <abdullah.s.rao at gmail.com> wrote:
> 
> Hi,
> 
> I had faced the same issue and found that I had to change the value for
> default_ccache_name from "KEYRING:persistent:%{uid}" to "/tmp/krb5cc_%{uid}"
> 
> 
> 
> --
> Sent from: http://kerberos.996246.n3.nabble.com/Kerberos-General-f11810.html
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list