Hi Toby, It seems that is an ongoing topic for years, I've found this discussed from the KRB POV [1] and on openssh [2]. Especially following [1] it seems things aren't too easy but there are a few workarounds/hints that might or might not help your use case.
In general having this configurable instead of hard-coded in ssh sounds right to me, but would then be an upstream feature request that you could report at [3]. If you happen to do so it would be awesome to report the ID back here so that we can link the bugs and track what upstream thinks/says about it. One thing thou - you write explicitly "to a 20.04 machine" is that behavior in any way a regression to the former versions? [1]: http://kerberos.996246.n3.nabble.com/KRB5CCNAME-and-sshd-td13395.html [2]: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033217.html [3]: https://bugzilla.mindrot.org/show_bug.cgi ** Changed in: openssh (Ubuntu) Status: New => Confirmed ** Changed in: openssh (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1889548 Title: ssh using gssapi will enforce FILE: credentials cache Status in openssh package in Ubuntu: Confirmed Bug description: Hi, ssh connections from a client with the following in ssh_config... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf. The FILE: setting seems to be hard-coded in the openssh code (auth- krb5.c). It would be great if ssh(gssapi-with-mic) connections either (a) set KRB5CCNAME to the default_ccache_name value, if set in /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system default is used. Many thanks Toby Blake School of Informatics University of Edinburgh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
