https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #5 from Charles Hedrick <[email protected]> --- OK, I tested master with the second patch. Some issues: default is KCM:. on the target system I have an expired ticket in KCM:1003. I do kerberized ssh. The login happens, but the default cc is still KCM:1003, and the ticket is still expired. I suspect the problem is that you didn't do seteuid to the user. The KCM: implementation is weird. There's no way for root to refer to the default collection of a user. With KEYRING, you can use KEYRING:persistent:%{uid}, but KCM:1003 isn't a collection; it's a specific ccache. The only way to refer to the collection is KCM: alone, and that only works if you're the right user. I actually think this is a problem. I think KCM:1003 should be a collection, and the first ticket should be something like KCM:1003:1003, but the implementor doesn't see this as a problem. using KEYRING:persistent:%{uid} I have two things in the collection, hedrick and hedrick.admin, with hedrick.admin selected. It adds a third cache for hedrick and selects it. It should really use krb5_cc_cache_match to find the original hedrick, update it with the new credential, and switch to it. I have one credential, for hedrick. It adds a second one. I think this is a mistake. sssd will reuse the existing credential cache. sssd will also set KRB5CCNAME, which I think is preferred, though leaving it unset isn't really a bug. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
