[Bug 2775] New: Improve kerberos credential forwarding support

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Sep 11 23:14:54 AEST 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2775

            Bug ID: 2775
           Summary: Improve kerberos credential forwarding support
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3051
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3051&action=edit
proposed patch from Fedora (rebased on master)

The following bug, which is finally closing to be resolved made me
filling this bug report to catch up also in upstream:

https://bugzilla.redhat.com/show_bug.cgi?id=1199363

So what is the problem? OpenSSH is using by default FILE: credential
cache under TMP, which has a great advantage of being portable, but
might not be ideal from security point of view, it might have some
limitations (not actually collection -- can handle only single
principal so it is always overwritten by next kinit in session) and is
nowhere to configure on server. The "pointer" to this ccache is
preserved in the environment variable KRBCCNAME, which makes the
forwarded credentials pretty much isolated in session and not available
after the session is closed and some jobs are executed on his behalf.
It can be considered as an advantage or not.

Years ago, we implemented a patch, that was picking up default ccache
location from krb5 configuration files (there is a krb5 function to do
that). It was having some issues, but it looks like we pinpointed them
and in attachment is the proposed patch. What it does in short?

* Gets default_ccache_name from kerberos configuration files.
* Replaces expansions templates (we cant use krb5 functions, since we
are still running under the root context to my understanding and we
need to replace UID).
* The code tries to use this default value, but if it fails to retrieve
it, falls back to FILE: ccache as it always did.
* We do not set the environment KRBCCNAME if the default ccache is
used. Tools using kerberos know where the cache is, if it is in default
location. When we were setting it, we were hitting the error explained
in the above bugzilla.
* Adds some portability bits for windows (CCAPI ccache if supported
instead of files under /tmp/)

Feel free to comment if there is anything unclear in the patch or in
the comments. The variation of this patch is used in both Fedora and
RHEL.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list