[Bug 2775] New: Improve kerberos credential forwarding support
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Sep 11 23:14:54 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2775
Bug ID: 2775
Summary: Improve kerberos credential forwarding support
Product: Portable OpenSSH
Version: 7.5p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3051
--> https://bugzilla.mindrot.org/attachment.cgi?id=3051&action=edit
proposed patch from Fedora (rebased on master)
The following bug, which is finally closing to be resolved made me
filling this bug report to catch up also in upstream:
https://bugzilla.redhat.com/show_bug.cgi?id=1199363
So what is the problem? OpenSSH is using by default FILE: credential
cache under TMP, which has a great advantage of being portable, but
might not be ideal from security point of view, it might have some
limitations (not actually collection -- can handle only single
principal so it is always overwritten by next kinit in session) and is
nowhere to configure on server. The "pointer" to this ccache is
preserved in the environment variable KRBCCNAME, which makes the
forwarded credentials pretty much isolated in session and not available
after the session is closed and some jobs are executed on his behalf.
It can be considered as an advantage or not.
Years ago, we implemented a patch, that was picking up default ccache
location from krb5 configuration files (there is a krb5 function to do
that). It was having some issues, but it looks like we pinpointed them
and in attachment is the proposed patch. What it does in short?
* Gets default_ccache_name from kerberos configuration files.
* Replaces expansions templates (we cant use krb5 functions, since we
are still running under the root context to my understanding and we
need to replace UID).
* The code tries to use this default value, but if it fails to retrieve
it, falls back to FILE: ccache as it always did.
* We do not set the environment KRBCCNAME if the default ccache is
used. Tools using kerberos know where the cache is, if it is in default
location. When we were setting it, we were hitting the error explained
in the above bugzilla.
* Adds some portability bits for windows (CCAPI ccache if supported
instead of files under /tmp/)
Feel free to comment if there is anything unclear in the patch or in
the comments. The variation of this patch is used in both Fedora and
RHEL.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list