/Hello, i m playing around with MIT kerberos at moment and got the problem that openssh do not honor the "default_ccache_name" variable in /etc/krb5.conf. It looks like the FILE based credential cache is hardcoded and openssh set KRB5CCNAME to it, but i would like to use the KEYRING cache. Is there any way to tell ssh to use the cache set in "default_ccache_name"? /Many thanks in advance and best regards - Thorsten - //
On 03/03/2017 10:17 PM, tseegerkrb wrote:> /Hello, i m playing around with MIT kerberos at moment and got the > problem that openssh do not honor the "default_ccache_name" variable in > /etc/krb5.conf. It looks like the FILE based credential cache is > hardcoded and openssh set KRB5CCNAME to it, but i would like to use the > KEYRING cache. Is there any way to tell ssh to use the cache set in > "default_ccache_name"? /Many thanks in advance and best regardsHello, in Fedora and RHEL we have a patch that takes care of this: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.3p1-krb5-use-default_ccache_name.patch I am not sure why it was not driven upstream yet, but in any case if that would solve your case, feel free to use it, if it would be acceptable upstream, feel free to merge it. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On 06.03.2017 08:41, Jakub Jelen wrote:> On 03/03/2017 10:17 PM, tseegerkrb wrote: >> /Hello, i m playing around with MIT kerberos at moment and got the >> problem that openssh do not honor the "default_ccache_name" variable in >> /etc/krb5.conf. It looks like the FILE based credential cache is >> hardcoded and openssh set KRB5CCNAME to it, but i would like to use the >> KEYRING cache. Is there any way to tell ssh to use the cache set in >> "default_ccache_name"? /Many thanks in advance and best regards > > Hello, > in Fedora and RHEL we have a patch that takes care of this: > > http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.3p1-krb5-use-default_ccache_name.patch > > > I am not sure why it was not driven upstream yet, but in any case if > that would solve your case, feel free to use it, if it would be > acceptable upstream, feel free to merge it. > > Regards,Hello, thx for your answer. I m using debian / ubuntu and would prefer to get the patch in the upstream package. I m new to this, how and who do i need to ask to add the patch to the upstream? thank you in advance Best Regards, Thorsten