On Wed, Jul 23, 2008 at 12:23 -0700, Russ Allbery wrote: > John Houck <[EMAIL PROTECTED]> writes: > > > By default, for ssh logins that are authenticated by prompting > > for a kerberos password, pam_krb5.so will put user credentials > > in /tmp/krb5cc_0, overwriting any existing file by that name, > > no matter which user owns the file. > > What version of OpenSSH are you using? Given that symptom, you almost > certainly have a broken version.
I believe it's the current Debian/stable version, 1:4.3p2-9etch2 > ssh -V OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8c 05 Sep 2006 [...] > The version of OpenSSH that shipped with Debian stable works properly, but > if you have a mixed oldstable system, you may see this problem. It's not a mixed system. I formatted the disks and installed etch myself just a few months ago (it's a new system). > > > The ccache option is supposed to allow customizing the name of the > > credentials file. Regarding that option, the man page says: > > > > This option can be set in krb5.conf and is only > > applicable to the auth and session groups. > > > > This is incorrect -- ccache cannot be set in krb5.conf > > I'm not sure what to say other than "yes, it can." I don't know what to say either. I read and re-read all the docs I could find and tried numerous variations on the documented syntax for setting the ccache option in krb5.conf. None of that had any effect. Setting ccache on the pam_krb5.so command line in /etc/pam.d/common-session solved the problem immediately. If it will help, I'm happy to repeat the exercise with krb5.conf and send you any output or config files you'd like to see. > Support is there in the code and I just tested it and it worked > fine. That code hasn't changed since 2.3. > > Of course, if you have the above problem, you won't see the benefits of > setting it when logging in via ssh; you'd need to use a non-broken > program such as login. For what it's worth, console logins have worked fine all along, putting credentials in /tmp/krb5cc_UID_XXXXXX. Thanks, -John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
