[krbdev.mit.edu #8766] ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache
Toby Blake via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Dec 18 11:26:05 EST 2018
Hi,
When the default cache is a switchable one, e.g. KEYRING, as set by...
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
... using ksu will result in KRB5CCNAME being set to MEMORY:_ksu and
having no credentials:
[bolt]toby: ksu . -n toby/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for toby/root at INF.ED.AC.UK: :
Leaving uid as toby (xxxxx)
[bolt]toby: klist
klist: No credentials cache found
[bolt]toby: echo $KRB5CCNAME
MEMORY:_ksu
[bolt]toby:
This seems to happen in src/clients/ksu/main.c:resolve_target_cache...
The check to determine if the cache type is switchable resolves to true
and the subsequent call to krb5_cc_resolve_cache_match seems to match
on the 'MEMORY:_ksu' cache as used internally by ksu, hence this cache is
returned.
Note this is running the os-shipped 1.15.1 on Scientific Linux 7.5. It
doesn't appear that the relevant code has subsequently changed (in 1.16.2)
but I can't easily test the behaviour.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the krb5-bugs
mailing list