[Bug 2815] New: please set KRB5CCNAME to collection
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 24 07:21:56 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2815
Bug ID: 2815
Summary: please set KRB5CCNAME to collection
Product: Portable OpenSSH
Version: 7.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: hedrick at rutgers.edu
Most current implementations for Kerberos use collections for
credentials, e.g. KEYRING or KCM. E.g. we have our default createntials
set to KEYRING:persistent:%{uid} in krb5.conf. When I login, that
should result in KRB5CCNAME being set to KEYRING:persistent:1003. When
I ssh and go through PAM, that's what I get. But if I have a current
Kerberos credential, sshd won't invoke PAM for authentication. It will
set up KRB5CCNAME itself. It will set it to ths specific cache, e.g.
KEYRING:persistent:1003:1003.
Suppose I need to kinit as a different user, e.g. hedrick.admin. If
KRB5CCNAME is set to the collection, kinit will create a new cache for
hedrick.admin, leaving the original one undisturbed, and change the
primary cache to the new one. Then when I'm fnished I can go back to
hedrick using "kswitch -p hedrick". However if KRB5CCNAME is set to
KEYRING:persistent:1003:1003 rather than to KEYRING:persistent:1003,
kinit will replace the credentials, and I'll have to kinit again to go
back to hedrick. With one-time passwords I'd really rather be able to
use kswitch.
I'd appreciate it if you would set KRB5CCNAME to the value from
krb5.conf, and not to the specific credential cache.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list