Public bug reported:
Hi,
ssh connections from a client with the following in ssh_config...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
... to an ubuntu 20.04 machine result in KRB5CCNAME being set to
'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in
/etc/krb5.conf:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
This means that we cannot enforce a policy to use KEYRING ccaches across
our systems. Authentications which go via the pam stack (e.g. login to
the machine at the console or over ssh using a password) can be
configured to use a KEYRING ccache, via libpam-krb5 settings in
/etc/krb5.conf.
The FILE: setting seems to be hard-coded in the openssh code (auth-
krb5.c). It would be great if ssh(gssapi-with-mic) connections either
(a) set KRB5CCNAME to the default_ccache_name value, if set in
/etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system
default is used.
Many thanks
Toby Blake
School of Informatics
University of Edinburgh
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889548
Title:
ssh using gssapi will enforce FILE: credentials cache
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
