[Bug 2775] Improve kerberos credential forwarding support

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 18 03:37:59 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2775

--- Comment #5 from Charles Hedrick <hedrick at rutgers.edu> ---
OK, I tested master with the second patch. Some issues:

default is KCM:. on the target system I have an expired ticket in
KCM:1003. I do kerberized ssh. The login happens, but the default cc is
still KCM:1003, and the ticket is still expired. I suspect the problem
is that you didn't do seteuid to the user. The KCM: implementation is
weird. There's no way for root to refer to the default collection of a
user. With KEYRING, you can use KEYRING:persistent:%{uid}, but KCM:1003
isn't a collection; it's a specific ccache. The only way to refer to
the collection is KCM: alone, and that only works if you're the right
user. I actually think this is a problem. I think KCM:1003 should be a
collection, and the first ticket should be something like
KCM:1003:1003, but the implementor doesn't see this as a problem.

using KEYRING:persistent:%{uid}

I have two things in the collection, hedrick and hedrick.admin, with
hedrick.admin selected. It adds a third cache for hedrick and selects
it. It should really use krb5_cc_cache_match to find the original
hedrick, update it with the new credential, and switch to it.

I have one credential, for hedrick. It adds a second one. I think this
is a mistake. sssd will reuse the existing credential cache.

sssd will also set KRB5CCNAME, which I think is preferred, though
leaving it unset isn't really a bug.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list