[Bug 2815] New: please set KRB5CCNAME to collection

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 24 07:21:56 AEDT 2017


            Bug ID: 2815
           Summary: please set KRB5CCNAME to collection
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: hedrick at rutgers.edu

Most current implementations for Kerberos use collections for
credentials, e.g. KEYRING or KCM. E.g. we have our default createntials
set to KEYRING:persistent:%{uid} in krb5.conf. When I login, that
should result in KRB5CCNAME being set to KEYRING:persistent:1003. When
I ssh and go through PAM, that's what I get. But if I have a current
Kerberos credential, sshd won't invoke PAM for authentication. It will
set up KRB5CCNAME itself. It will set it to ths specific cache, e.g.

Suppose I need to kinit as a different user, e.g. hedrick.admin. If
KRB5CCNAME is set to the collection, kinit will create a new cache for
hedrick.admin, leaving the original one undisturbed, and change the
primary cache to the new one. Then when I'm fnished I can go back to
hedrick using "kswitch -p hedrick". However if KRB5CCNAME is set to
KEYRING:persistent:1003:1003 rather than to KEYRING:persistent:1003,
kinit will replace the credentials, and I'll have to kinit again to go
back to hedrick. With one-time passwords I'd really rather be able to
use kswitch.

I'd appreciate it if you would set KRB5CCNAME to the value from
krb5.conf, and not to the specific credential cache.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list