kerberos default_ccache_name with sssd
Dave Macias
davama at gmail.com
Wed Jun 12 10:21:22 AEST 2024
Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below:
> for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done
rocky8client.domain.net
Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa
Default principal: jdoe at DOMAIN.NET
Valid starting Expires Service principal
06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 06/11/2024 17:58:09
rocky9client.domain.net
Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5
Default principal: jdoe at DOMAIN.NET
Valid starting Expires Service principal
06/11/24 17:58:10 06/12/24 17:58:10 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 06/11/24 17:58:10
Your password will expire in 23 hours.
rocky9server.domain.net
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal: jdoe at DOMAIN.NET
Valid starting Expires Service principal
06/11/24 21:58:11 06/12/24 21:58:11 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 06/11/24 21:58:11
rocky8server.domain.net
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal: jdoe at DOMAIN.NET
Valid starting Expires Service principal
06/11/24 21:58:12 06/12/24 21:58:12 krbtgt/DOMAIN.NET at DOMAIN.NET
renew until 06/11/24 21:58:12
On Jun 11, 2024 at 5:05 PM -0400, Dave Macias <davama at gmail.com>, wrote:
> Thank you both for the replies and explanation!
>
> @douglas
>
> Can i set KRB5CCNAME somewhere so that it uses /home? Where?
>
> But even if i could set the env variable i have this odd behavior:
>
> I now have 4 vms running.
> 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post.
>
> From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the other two save it in /tmp.
> I cant seem to understand why my other two vms do not want to setup the cache in the /home.
>
> The only difference i can think of is that the two vms that do use /home, are the actual kdc/ldap servers. The two “bad” vms are clients, only running sssd/sshd.
>
> Upon ssh login to each of the 4 vms, a KRB5CCNAME=FILE:/bla environment variable is set; which will be /tmp or /home, depending on the vm.
>
> Someone requested a trace, so ill post that tomorrow, hopefully it will be helpful.
>
> Appreciate very much you all’s input!
>
> Best,
> Dave
> On Jun 11, 2024 at 2:00 PM -0400, Douglas E Engert <deengert at gmail.com>, wrote:
> >
> >
> > On 6/6/2024 8:26 AM, Dave Macias wrote:
> > > *I wanted to see if I could make the cache file user-specific, instead of
> > > the default location (/tmp/krb5cc-blabla).*
> > SSH is creating a separate ticket cache file for each login session and owned by the user.
> > This has been the preferred way to do this for decades.
> > https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd
> >
> > Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
> > If you share the ticket cache between multiple login sessions, when the first session ends,
> > the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
> > a network disk which has other issues.
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > --
> >
> > Douglas E. Engert <DEEngert at gmail.com>
> >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list