[Bug 3203] New: Could default_ccache_name from krb5.conf be used for GSSAPI connections?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 26 21:34:54 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3203

            Bug ID: 3203
           Summary: Could default_ccache_name from krb5.conf be used for
                    GSSAPI connections?
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: toby at inf.ed.ac.uk

Hi there,

I'm filing this bug upstream as suggested in this ubuntu bug report:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548

I'll recreate my original text from that ticket here:

"
ssh connections from a client with the following in ssh_config...

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:

[libdefaults]
 ...
 default_ccache_name = KEYRING:persistent:%{uid}

This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.

The FILE: setting seems to be hard-coded in the openssh code
(auth-krb5.c). It would be great if ssh(gssapi-with-mic) connections
either (a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
"

Redhat already patch for this, but they patch the upstream source quite
heavily (as do ubuntu, but in different ways).

I'm hoping to spend more time on getting a patch to do this on ubuntu,
but I suspect that wouldn't be of much use upstream.

Would there be interest in implementing this functionality upstream?

Thanks
Toby Blake
School of Informatics
University of Edinburgh

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list