https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #9 from Charles Hedrick <[email protected]> --- I wasn't suggesting changing permanently to the user's context, just changing temporarily while you generate the ccname, and while you open the ccache (for KCM). I'm not sure which uid you need to set for each of these operations, but as long as the saved uid remains 0 you can get back. Look at setresuid. That assumes there aren't portability problems with setresuid. I don't know whether portable openssh supports any OS's without saved uid, but if so they'll probably be old enough to use the old code, the same as if they have an old Kerberos. RHEL has announced that KCM: will be the default for the next release. I don't think you want sshd to not support it. This is portable ssh, not the RHEL-specific patch, so KCM support could be added in RHEL-specific code, but since KCM is going to be on all versions through sssd, I'd prefer to see it done portably. As to Kerberos versions, this is the bugzilla for portable openssh. Isn't this the version that would most likely be used for old Linuxs, Solaris 2.8, etc.? It's not hard to accommodate old Kerberos. Just omit all the new code. I believe the latest version of the patch leaves in the code to act the old way but doesn't use it be default. It should become the only code if collections don't exist. This has to be done at compile time, not run time, since you won't be able to compile code with the collections API on an old Kerberos. As to KRB5CCNAME. I understnad the problems with setting it. The old code sets it wrong. But sssd sets it, and I don't think you want behavior to depend upon whether you typed a password or used Kerberos. I conjecture that you can simply use the expanded value of the default from krb5.conf. I think that will always do the right thing. Can you think of counterexamples? -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
