openssh unix dev - Jun 2024 - kerberos default_ccache_name with sssd

On 6/6/2024 8:26 AM, Dave Macias wrote:
> *I wanted to see if I could make the cache file user-specific, instead of
> the default location (/tmp/krb5cc-blabla).*
SSH is creating a separate ticket cache file for each login session and owned by
the user.
This has been the preferred way to do this for decades.
https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd

Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it
is set by sshd and your environment should have a KRB5CCNAME with that name.
If you share the ticket cache between multiple login sessions, when the first
session ends,
the "GSSAPICleanupCredentials yes" will cause the shared ticket cache
to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart.
/tmp is also a local file system. /home may be on
a network disk which has other issues.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 

  Douglas E. Engert  <DEEngert at gmail.com>

Thank you both for the replies and explanation!

@douglas

Can i set?KRB5CCNAME somewhere so that it uses /home? Where?

But even if i could set the env variable i have this odd behavior:

I now have 4 vms running.
2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my
first post.

From the 4 vms, when I ssh into them, 2 of them set a cache file in the users
home and the other two save it in /tmp.
I cant seem to understand why my other two vms do not want to setup the cache in
the /home.

The only difference i can think of is that the two vms that do use /home, are
the actual kdc/ldap servers. The two ?bad? vms are clients, only running
sssd/sshd.

Upon ssh login to each of the 4 vms, a?KRB5CCNAME=FILE:/bla environment variable
is set; which will be /tmp or /home, depending on the vm.

Someone requested a trace, so ill post that tomorrow, hopefully it will be
helpful.

Appreciate very much you all?s input!

Best,
Dave
On Jun 11, 2024 at 2:00?PM -0400, Douglas E Engert <deengert at
gmail.com>, wrote:
>
>
> On 6/6/2024 8:26 AM, Dave Macias wrote:
> > *I wanted to see if I could make the cache file user-specific, instead
of
> > the default location (/tmp/krb5cc-blabla).*
> SSH is creating a separate ticket cache file for each login session and
owned by the user.
> This has been the preferred way to do this for decades.
> https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd
>
> Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like
it is set by sshd and your environment should have a KRB5CCNAME with that name.
> If you share the ticket cache between multiple login sessions, when the
first session ends,
> the "GSSAPICleanupCredentials yes" will cause the shared ticket
cache to be deleted. Using /tmp means the cache is destroyed upon a
shutdown/restart. /tmp is also a local file system. /home may be on
> a network disk which has other issues.
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> --
>
> Douglas E. Engert <DEEngert at gmail.com>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev