kerberos default_ccache_name with sssd

Dave Macias davama at
Thu Jun 6 23:26:01 AEST 2024

Good day everyone,

I am currently testing integrating kerberos into our MMR openldap cluster
and things have gone well so far.

I can ssh to my test clients using my kerberos credentials then ssh using
GSSAPI to other hosts as defined in my principals using my ticket,
achieving SSO.

*I wanted to see if I could make the cache file user-specific, instead of
the default location (/tmp/krb5cc-blabla).*

I configured sssd.conf with:
krb5_ccachedir = %h
krb5_ccname_template = FILE:%d/.krb5cc_%U

I configured krb5.conf with:
    default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid}

My sshd_config has the following:
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
UseDNS yes

*What I noticed:*
When I ssh to the host I can see that klist shows my cache file under /tmp:
Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK
Default principal: jdoe at DOMAIN.NET

Valid starting       Expires              Service principal
06/06/2024 09:06:40  06/07/2024 09:06:40  krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 06/06/2024 09:06:40

If I instead `su` to the user then `echo pass | kinit` my cache file is
[root at krbhost3 ~]# su - jdoe
[jdoe at krbhost3 ~]$ klist
klist: No credentials cache found (filename: /home/jdoe/.krb5cc_jdoe)
[jdoe at krbhost3 ~]$ echo password | kinit
Password for jdoe at DOMAIN.NET:
[jdoe at krbhost3 ~]$ klist
Ticket cache: FILE:/home/jdoe/.krb5cc_jdoe
Default principal: jdoe at

Valid starting       Expires              Service principal
06/06/2024 09:08:03  06/07/2024 09:08:03  krbtgt/NWK.JWM2.NET at DOMAIN.NET
renew until 06/06/2024 09:08:03

So it seems that sssd does as configured and places the cache file in the
correct location but when I ssh into the host, it goes to the default

I also tried setting the KRB5CCNAME environment variable in
/etc/sysconfig/sshd file but sshd still prefers the defaults.

I am using pam_sss and not pam_krb5. (authselect select sssd with-mkhomedir

*My environment: (3 hosts total)*
rockylinux9: (x2)
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

rockylinux8: (1x)
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021

Not sure if this is a redhat issue (since openssh is older on my systems)
or a misconfiguration on my part.

Any input is very much appreciated.


More information about the openssh-unix-dev mailing list