[Bug 2775] Improve kerberos credential forwarding support

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Oct 16 04:28:33 AEDT 2018 

https://bugzilla.mindrot.org/show_bug.cgi?id=2775

Charles Hedrick <hedrick at rutgers.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hedrick at rutgers.edu

--- Comment #2 from Charles Hedrick <hedrick at rutgers.edu> ---
What happened to this? It's still a problem for us. In the most recent
version, the credential is actually going into /tmp. (I had been using
the version from Centos, which has patches from Redhat that caused the
problem reported here.) This is clearly not the right behavior. Thus it
doesn't appear that the patch referred to here was actually done. Using
/tmp is clearly wrong, and will interfere with Redhat's move to KCM:.

I've submitted a bug report to Redhat, since it's their code in Centos,
but I'd rather see it fixed here.

Leaving KRB5CCNAME unset would normally do the right thing, but I don't
recommend it. There will still have to be code added that understands
collections. (configure.ac will have to be modified to see whether
krb5_cc_cache_match exists. It was added in 2012. openssh probably
wants to support OSs older than that.) You want behavior to be the same
as in kinit and sssd. To avoid overwriting a cache having a different
principal, you need to do krb5_cc_cache_match to find a credential in
the cache that matches the one you're logging in with. If there isn't
then you have to create a new credential in the cache explicitly (if
you don't you could overwrite one with a different principal), and
arguably make it primary. In the end, you can set KRB5CCNAME to the
collection or leave it unset. In principle it doesn't matter. However
for consistency with sssd I'd set it. You really don't want behavior to
be different depending upon whether you used a password or not.

I'm willing to write the code if you'll accept it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list