https://bugzilla.mindrot.org/show_bug.cgi?id=2775
Charles Hedrick <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #2 from Charles Hedrick <[email protected]> --- What happened to this? It's still a problem for us. In the most recent version, the credential is actually going into /tmp. (I had been using the version from Centos, which has patches from Redhat that caused the problem reported here.) This is clearly not the right behavior. Thus it doesn't appear that the patch referred to here was actually done. Using /tmp is clearly wrong, and will interfere with Redhat's move to KCM:. I've submitted a bug report to Redhat, since it's their code in Centos, but I'd rather see it fixed here. Leaving KRB5CCNAME unset would normally do the right thing, but I don't recommend it. There will still have to be code added that understands collections. (configure.ac will have to be modified to see whether krb5_cc_cache_match exists. It was added in 2012. openssh probably wants to support OSs older than that.) You want behavior to be the same as in kinit and sssd. To avoid overwriting a cache having a different principal, you need to do krb5_cc_cache_match to find a credential in the cache that matches the one you're logging in with. If there isn't then you have to create a new credential in the cache explicitly (if you don't you could overwrite one with a different principal), and arguably make it primary. In the end, you can set KRB5CCNAME to the collection or leave it unset. In principle it doesn't matter. However for consistency with sssd I'd set it. You really don't want behavior to be different depending upon whether you used a password or not. I'm willing to write the code if you'll accept it. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
