tseegerkrb <tseeger...@gmail.com> writes:

> I think the sshd daemon do not honor the "default_ccache_name" and uses
> the default file format.

I'm pretty sure you're correct if you're doing GSS-API authentication with
ssh.  Looking at the source code to sshd, you don't seem to get much
choice in the matter:

        problem = krb5_cc_new_unique(authctxt->krb5_ctx,
             krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
# else
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
# endif


        authctxt->krb5_ticket_file = (char 
*)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);

        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
#ifdef USE_CCAPI
        snprintf(authctxt->krb5_ccname, len, "API:%s",
        snprintf(authctxt->krb5_ccname, len, "FILE:%s",

You'd need to write a PAM module that read in that ticket cache file and
wrote it back out to your preferred ticket cache format and then adjusted
KRB5CCNAME in the user's environment.  Unfortunately, there doesn't appear
to be any way of preventing the ticket cache from being temporarily
written to /tmp.

Russ Allbery (ea...@eyrie.org)              <http://www.eyrie.org/~eagle/>
Kerberos mailing list           Kerberos@mit.edu

Reply via email to