[Bug 2775] Improve kerberos credential forwarding support
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 18 23:14:58 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #9 from Charles Hedrick <hedrick at rutgers.edu> ---
I wasn't suggesting changing permanently to the user's context, just
changing temporarily while you generate the ccname, and while you open
the ccache (for KCM). I'm not sure which uid you need to set for each
of these operations, but as long as the saved uid remains 0 you can get
back. Look at setresuid. That assumes there aren't portability problems
with setresuid. I don't know whether portable openssh supports any OS's
without saved uid, but if so they'll probably be old enough to use the
old code, the same as if they have an old Kerberos.
RHEL has announced that KCM: will be the default for the next release.
I don't think you want sshd to not support it. This is portable ssh,
not the RHEL-specific patch, so KCM support could be added in
RHEL-specific code, but since KCM is going to be on all versions
through sssd, I'd prefer to see it done portably.
As to Kerberos versions, this is the bugzilla for portable openssh.
Isn't this the version that would most likely be used for old Linuxs,
Solaris 2.8, etc.? It's not hard to accommodate old Kerberos. Just omit
all the new code. I believe the latest version of the patch leaves in
the code to act the old way but doesn't use it be default. It should
become the only code if collections don't exist. This has to be done at
compile time, not run time, since you won't be able to compile code
with the collections API on an old Kerberos.
As to KRB5CCNAME. I understnad the problems with setting it. The old
code sets it wrong. But sssd sets it, and I don't think you want
behavior to depend upon whether you typed a password or used Kerberos.
I conjecture that you can simply use the expanded value of the default
from krb5.conf. I think that will always do the right thing. Can you
think of counterexamples?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list