** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Importance: Unknown Status: Unknown
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1889548 Title: ssh using gssapi will enforce FILE: credentials cache Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Confirmed Bug description: Hi, ssh connections from a client with the following in ssh_config... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf. The FILE: setting seems to be hard-coded in the openssh code (auth- krb5.c). It would be great if ssh(gssapi-with-mic) connections either (a) set KRB5CCNAME to the default_ccache_name value, if set in /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system default is used. Many thanks Toby Blake School of Informatics University of Edinburgh To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1889548/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
