[Bug 2815] New: please set KRB5CCNAME to collection

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 24 07:21:56 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2815

            Bug ID: 2815
           Summary: please set KRB5CCNAME to collection
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: hedrick at rutgers.edu

Most current implementations for Kerberos use collections for
credentials, e.g. KEYRING or KCM. E.g. we have our default createntials
set to KEYRING:persistent:%{uid} in krb5.conf. When I login, that
should result in KRB5CCNAME being set to KEYRING:persistent:1003. When
I ssh and go through PAM, that's what I get. But if I have a current
Kerberos credential, sshd won't invoke PAM for authentication. It will
set up KRB5CCNAME itself. It will set it to ths specific cache, e.g.
KEYRING:persistent:1003:1003. 

Suppose I need to kinit as a different user, e.g. hedrick.admin. If
KRB5CCNAME is set to the collection, kinit will create a new cache for
hedrick.admin, leaving the original one undisturbed, and change the
primary cache to the new one. Then when I'm fnished I can go back to
hedrick using "kswitch -p hedrick". However if KRB5CCNAME is set to
KEYRING:persistent:1003:1003 rather than to KEYRING:persistent:1003,
kinit will replace the credentials, and I'll have to kinit again to go
back to hedrick. With one-time passwords I'd really rather be able to
use kswitch.

I'd appreciate it if you would set KRB5CCNAME to the value from
krb5.conf, and not to the specific credential cache.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list