ssh using gssapi will enforce FILE: credentials cache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentic
GSSAPIDelegateC
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/
[libdefaults]
...
default_
This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-krb5.c). It would be great if ssh(gssapi-
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
Hi Toby,
It seems that is an ongoing topic for years, I've found this discussed from the KRB POV [1] and on openssh [2]. Especially following [1] it seems things aren't too easy but there are a few workarounds/hints that might or might not help your use case.
In general having this configurable instead of hard-coded in ssh sounds right to me, but would then be an upstream feature request that you could report at [3]. If you happen to do so it would be awesome to report the ID back here so that we can link the bugs and track what upstream thinks/says about it.
One thing thou - you write explicitly "to a 20.04 machine" is that behavior in any way a regression to the former versions?
[1]: http:// kerberos. 996246. n3.nabble. com/KRB5CCNAME- and-sshd- td13395. html /lists. mindrot. org/pipermail/ openssh- unix-dev/ 2014-December/ 033217. html /bugzilla. mindrot. org/show_ bug.cgi
[2]: https:/
[3]: https:/