[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Toby, you are mostly interested in this because you have some sort of
policy, perhaps one that doesn't allow secrets to be stored on disk in
clear text and protected just by filesystem permissions?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
** Also affects: openssh via
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Hi there,
I'm afraid I haven't had much time to look properly into this recently,
but it remains on my list.
In the meantime, I've submitted an enhancement request upstream:
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
Cheers
Toby
** Bug watch added: OpenSSH Portable Bugzilla #3203
https://bugzilla.mindrot.org/show_bug.cgi?id=3203
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Hi Christian,
Again, thanks for the above.
https://bugzilla.mindrot.org/show_bug.cgi?id=2775, in particular, looks
interesting, as it seems to be an attempt to bring the relevant ccache
patches up to date for version 8. e.g. we have been patching our SL
systems additionally for
https://bugzilla.redhat.com/show_bug.cgi?id=1199363.
I'll give this a try and report back. I'll hold off on reporting this
as a bug upstream until I've tried the patch(es).
Cheers
Toby
** Bug watch added: Red Hat Bugzilla #1199363
https://bugzilla.redhat.com/show_bug.cgi?id=1199363
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Due to that hint with SciLinux I have fetched
http://ftp.scientificlinux.org/linux/scientific/7.8/SRPMS/vendor/openssh-7.4p1-21.el7.src.rpm
I can't see it but that is https://bugzilla.redhat.com/show_bug.cgi?id=991186
I can see follow on issues referring to it
https://bugzilla.redhat.com/show_bug.cgi?id=1161073 thou.
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
The patch is not/no-more in
https://git.centos.org/rpms/openssh/blob/c8/f/SOURCES
But in
https://git.centos.org/rpms/openssh/blob/c7/f/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch
That is suspicious, there must be a reason it is gone right?
Maybe it was hard to maintain or somewhat bad and they only could drop it on
the major version change.
In the v8 spec I find:
# Improve ccache handling in openssh (#991186, #1199363, #1566494)
# https://bugzilla.mindrot.org/show_bug.cgi?id=2775
Patch804: openssh-7.7p1-gssapi-new-unique.patch
# Respect k5login_directory option in krk5.conf (#1328243)
Patch805: openssh-7.2p2-k5login_directory.patch
FYI navigate from here
https://git.centos.org/rpms/openssh/blob/c8/f/SPECS/openssh.spec
I'm not sure on this, but maybe carrying more of the RH sauce back to upstream
might help.
Definitely activity on the new or old upstream bug will be needed.
Keep us in the loop here what happens.
** Bug watch added: Red Hat Bugzilla #991186
https://bugzilla.redhat.com/show_bug.cgi?id=991186
** Bug watch added: Red Hat Bugzilla #1161073
https://bugzilla.redhat.com/show_bug.cgi?id=1161073
** Bug watch added: OpenSSH Portable Bugzilla #2775
https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Hi Christian,
Thanks for your reply (and for the links). I agree that a configurable
option coming from upstream would be the preferred option. I'll submit
a bug upstream accordingly and note the ID here.
I note there's a patch referenced in the openssh mailing list link,
unfortunately the link is a 404 - I'll see if I can track it down via
other means. On this topic, we've been using ssh on scientific linux
for a number of years now and that is patched to use the default ccache
name. It would be interesting to see if it's the same or similar as the
404 patch above.
Depending on the outcome of my upstream bug report, I'll see if I can
port any patches we use to the current ubuntu/upstream code base.
As to your final question re: regression - I don't think so, looking at
the code, but we are only now in the process of converting desktop
machines to ubuntu.
Cheers
Toby
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889548] Re: ssh using gssapi will enforce FILE: credentials cache
Hi Toby,
It seems that is an ongoing topic for years, I've found this discussed
from the KRB POV [1] and on openssh [2]. Especially following [1] it
seems things aren't too easy but there are a few workarounds/hints that
might or might not help your use case.
In general having this configurable instead of hard-coded in ssh sounds
right to me, but would then be an upstream feature request that you
could report at [3]. If you happen to do so it would be awesome to
report the ID back here so that we can link the bugs and track what
upstream thinks/says about it.
One thing thou - you write explicitly "to a 20.04 machine" is that behavior in
any way a regression to the former versions?
[1]: http://kerberos.996246.n3.nabble.com/KRB5CCNAME-and-sshd-td13395.html
[2]:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033217.html
[3]: https://bugzilla.mindrot.org/show_bug.cgi
** Changed in: openssh (Ubuntu)
Status: New => Confirmed
** Changed in: openssh (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
Status in openssh package in Ubuntu:
Confirmed
Bug description:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches
across our systems. Authentications which go via the pam stack (e.g.
login to the machine at the console or over ssh using a password) can
be configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
