On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Sm?rgrav wrote:> The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend.Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerberoized NFS. For kerberoized NFS gssd need to find cache file "called /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC caller" (from `man gssd`). sshd contrary create cache file for received ticket called /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is this strong security requirement or [FreeBSD/upstream] can be patched (or introduce option) to use /tmp/krb5cc_<uid> as cache file for received ticket?
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:> Can you do some small discurs about ssh+kerberos? > I am try to use FreeBSD with $HOME over kerberoized NFS. > For kerberoized NFS gssd need to find cache file "called > /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC > caller" (from `man gssd`). > > sshd contrary create cache file for received ticket called > /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is > this strong security requirement or [FreeBSD/upstream] can be patched > (or introduce option) to use /tmp/krb5cc_<uid> as cache file for > received ticket?I wasn't aware of that. It should be easy to patch, but in the meantime, you can try something like this in .bashrc or whatever: krb5cc_uid="/tmp/krb5cc_$(id -u)" if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then export KRB5CCNAME="${krb5ccuid}" else echo "Unable to rename krb5 credential cache" >&2 fi fi unset krb5ccuid DES -- Dag-Erling Sm?rgrav - des at des.no