Thanks for your help. Is my setup so special (kerberos/OpenLDAP/sssd/sshd) nobody using it? I think i will ask debian/ubuntu or the openssh maintainer for help.
On 19.09.2016 18:23, Russ Allbery wrote: > tseegerkrb <tseeger...@gmail.com> writes: > >> I think the sshd daemon do not honor the "default_ccache_name" and uses >> the default file format. > I'm pretty sure you're correct if you're doing GSS-API authentication with > ssh. Looking at the source code to sshd, you don't seem to get much > choice in the matter: > > # ifdef HAVE_KRB5_CC_NEW_UNIQUE > problem = krb5_cc_new_unique(authctxt->krb5_ctx, > krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); > # else > problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, > &authctxt->krb5_fwd_ccache); > # endif > > [...] > > authctxt->krb5_ticket_file = (char > *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); > > len = strlen(authctxt->krb5_ticket_file) + 6; > authctxt->krb5_ccname = xmalloc(len); > #ifdef USE_CCAPI > snprintf(authctxt->krb5_ccname, len, "API:%s", > authctxt->krb5_ticket_file); > #else > snprintf(authctxt->krb5_ccname, len, "FILE:%s", > authctxt->krb5_ticket_file); > #endif > > You'd need to write a PAM module that read in that ticket cache file and > wrote it back out to your preferred ticket cache format and then adjusted > KRB5CCNAME in the user's environment. Unfortunately, there doesn't appear > to be any way of preventing the ticket cache from being temporarily > written to /tmp. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos