bugzilla-daemon at mindrot.org
2020-Aug-26 11:34 UTC
[Bug 3203] New: Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Bug ID: 3203 Summary: Could default_ccache_name from krb5.conf be used for GSSAPI connections? Product: Portable OpenSSH Version: 8.3p1 Hardware: ix86 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org Reporter: toby at inf.ed.ac.uk Hi there, I'm filing this bug upstream as suggested in this ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548 I'll recreate my original text from that ticket here: " ssh connections from a client with the following in ssh_config... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf. The FILE: setting seems to be hard-coded in the openssh code (auth-krb5.c). It would be great if ssh(gssapi-with-mic) connections either (a) set KRB5CCNAME to the default_ccache_name value, if set in /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system default is used. " Redhat already patch for this, but they patch the upstream source quite heavily (as do ubuntu, but in different ways). I'm hoping to spend more time on getting a patch to do this on ubuntu, but I suspect that wouldn't be of much use upstream. Would there be interest in implementing this functionality upstream? Thanks Toby Blake School of Informatics University of Edinburgh -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:28 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- We use several patches to do that in RHEL/Fedora and this was already proposed in bug #2775, but without any feedback from OpenSSH developers. Feel free to use the patches we use (might need updating from version posted in the bug). But note that there is still many people interested in using per-session caches. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:37 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #2 from Toby Blake <toby at inf.ed.ac.uk> --- (In reply to Jakub Jelen from comment #1)> We use several patches to do that in RHEL/Fedora and this was > already proposed in bug #2775, but without any feedback from OpenSSH > developers. > > Feel free to use the patches we use (might need updating from > version posted in the bug). But note that there is still many people > interested in using per-session caches.Hi Jakub, Thanks for the reply. I've tried a (slightly reworked to get it to apply) version of openssh-7.7p1-gssapi-new-unique.patch but it doesn't seem to quite do what I want it to do, specifically it always gives me a new unique ccache, rather than using e.g. KEYRING:persistent:%{uid}. It may be that in reworking it I've messed it up somewhat so I need to find some time to look at it in more detail. Cheers Toby -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 10:00 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #3 from Jakub Jelen <jjelen at redhat.com> --- Hi, the current version we use in Fedora lives here so it could have gone through some updates and fixes since 2 years ago: https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.7p1-gssapi-new-unique.patch The new unique cache in the given collection is probably the most sensible way of doing this. Or you suggest that you would like the new login to override existing tickets in the ccache? Or you still see the ccache in /tmp being used? What configuration did you try? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 10:55 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 --- Comment #4 from Toby Blake <toby at inf.ed.ac.uk> --- (In reply to Jakub Jelen from comment #3)> Hi, > the current version we use in Fedora lives here so it could have > gone through some updates and fixes since 2 years ago: > > https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7. > 7p1-gssapi-new-unique.patchHi, this is the patch I've tried to rework for ubuntu.> The new unique cache in the given collection is probably the most > sensible way of doing this. Or you suggest that you would like the > new login to override existing tickets in the ccache? Or you still > see the ccache in /tmp being used? What configuration did you try?What I'd like is to be able to set [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} ... in /etc/krb5.conf and for (gssapi) ssh connections to use this, in the same way that I can set it for PAM connections. This no doubt works under redhat (and indeed it works for us with Scientific Linux 7.8 with the addition of a backported openssh-7.5p1-gss-environment.patch, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1199363) I think I need to look at the gssapi-new-unique patch again, with a more complete understanding of the relevant code areas. My reworking of it is definitely not doing what it should do. The biggest issue in getting this working is the divergent code bases between redhat and ubuntu (in particular, I suspect, the gsskex patch). This is why I'd much prefer this issue to be fixed upstream. Pending that, I'll look again at the the unique patch. Cheers Toby -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-May-28 09:04 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Lars-Dominik Braun <ldb at leibniz-psychology.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ldb at leibniz-psychology.org --- Comment #5 from Lars-Dominik Braun <ldb at leibniz-psychology.org> --- Has there been any progress? We?d also be interested in this feature. Our setup includes SSSD, which provides a KCM: backend for ticket storage, but SSH keeps falling back to KRB5CCNAME=FILE: when using an existing ticket to login. Working around the issue is quite simple (because no pattern expansion is needed) using pam_env and an entry in /etc/environment, which overrides SSH?s default. Still, it?d be better if SSH respected krb5.conf in the first place. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Jul-08 20:09 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Andreas Hasenack <andreas at canonical.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas at canonical.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Sep-21 15:40 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Pat Riehecky <riehecky at fnal.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |riehecky at fnal.gov --- Comment #6 from Pat Riehecky <riehecky at fnal.gov> --- Echoing interest in this. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-28 13:56 UTC
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203 Bj??rn Jacke <bjoern at j3e.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoern at j3e.de -- You are receiving this mail because: You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2775] New: Improve kerberos credential forwarding support
- Use other default credential cache then FILE
- [Bug 2815] New: please set KRB5CCNAME to collection
- [Bug 2746] New: RFE: Allow to disable SHA1 signatures for RSA
- [Bug 2335] New: Config parser accepts ip/port in ListenAddress and PermitOpen