[Bug 3203] New: Could default_ccache_name from krb5.conf be used for GSSAPI connections?
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Aug 26 21:34:54 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
Bug ID: 3203
Summary: Could default_ccache_name from krb5.conf be used for
GSSAPI connections?
Product: Portable OpenSSH
Version: 8.3p1
Hardware: ix86
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: toby at inf.ed.ac.uk
Hi there,
I'm filing this bug upstream as suggested in this ubuntu bug report:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548
I'll recreate my original text from that ticket here:
"
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code
(auth-krb5.c). It would be great if ssh(gssapi-with-mic) connections
either (a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
"
Redhat already patch for this, but they patch the upstream source quite
heavily (as do ubuntu, but in different ways).
I'm hoping to spend more time on getting a patch to do this on ubuntu,
but I suspect that wouldn't be of much use upstream.
Would there be interest in implementing this functionality upstream?
Thanks
Toby Blake
School of Informatics
University of Edinburgh
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list