https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #8 from Jakub Jelen <[email protected]> --- Thank you very much for review, trying the patch and valuable comments. I did not know about krb5_cc_cache_match() function and it would certainly make sense to reuse the same principal instead of creating a new entry. About the compatibility with older kerberoses, this is probably a question on upstream. Here in Red Hat, we will probably not need to support anything older than 1.15. About switching to user context, we indeed to it, but at the time of the credential creating, we can not switch both euid and real uid permanently yet and kerberos code is using the real uids for the template expansions. As you describe for the KCM cache, it is not possible to use since it does not have any collection that would be accessible from root and the user under the same name, which I also consider as a bad design, but the kerberos guys do not see it as an issue. We used to set KRB5CCNAME, but it has its own drawbacks. After creating the credention in collection, I did not find any unified way how to get from kerberos the name of the containing collection, which I could use for the above environment variable. There used to be several workarounds for various collections (FILE, DIR, ...) and setting it wrongly caused issues such as [1]. I will try to have a look into your proposed changes and incorporate them into the patch. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1199363 -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
