thr3ads.net - openssh unix dev - kerberos default_ccache

If this information is useful, please help other people find it:
Share via:

Dave Macias

2024-Jun-12 00:21 UTC

kerberos default_ccache_name with sssd

Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp
and the other 2 in /home. See what happens when i run the loop below:
> for i in rocky8client rocky9client rocky9server rocky8server; do
/usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname;
klist"; done
rocky8client.domain.net
Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa
Default principal:?jdoe at DOMAIN.NET

Valid starting Expires Service principal
06/11/2024 17:58:09 06/12/2024 17:58:09?krbtgt/DOMAIN.NET at DOMAIN.NET
?renew until 06/11/2024 17:58:09

rocky9client.domain.net
Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5
Default principal:?jdoe at DOMAIN.NET

Valid starting Expires Service principal
06/11/24 17:58:10 06/12/24 17:58:10?krbtgt/DOMAIN.NET at DOMAIN.NET
?renew until 06/11/24 17:58:10
Your password will expire in 23 hours.

rocky9server.domain.net
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal:?jdoe at DOMAIN.NET

Valid starting Expires Service principal
06/11/24 21:58:11 06/12/24 21:58:11?krbtgt/DOMAIN.NET at DOMAIN.NET
?renew until 06/11/24 21:58:11

rocky8server.domain.net
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal:?jdoe at DOMAIN.NET

Valid starting Expires Service principal
06/11/24 21:58:12 06/12/24 21:58:12?krbtgt/DOMAIN.NET at DOMAIN.NET
?renew until 06/11/24 21:58:12
On Jun 11, 2024 at 5:05?PM -0400, Dave Macias <davama at gmail.com>,
wrote:> Thank you both for the replies and explanation!
>
> @douglas
>
> Can i set?KRB5CCNAME somewhere so that it uses /home? Where?
>
> But even if i could set the env variable i have this odd behavior:
>
> I now have 4 vms running.
> 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on
my first post.
>
> From the 4 vms, when I ssh into them, 2 of them set a cache file in the
users home and the other two save it in /tmp.
> I cant seem to understand why my other two vms do not want to setup the
cache in the /home.
>
> The only difference i can think of is that the two vms that do use /home,
are the actual kdc/ldap servers. The two ?bad? vms are clients, only running
sssd/sshd.
>
> Upon ssh login to each of the 4 vms, a?KRB5CCNAME=FILE:/bla environment
variable is set; which will be /tmp or /home, depending on the vm.
>
> Someone requested a trace, so ill post that tomorrow, hopefully it will be
helpful.
>
> Appreciate very much you all?s input!
>
> Best,
> Dave
> On Jun 11, 2024 at 2:00?PM -0400, Douglas E Engert <deengert at
gmail.com>, wrote:
> >
> >
> > On 6/6/2024 8:26 AM, Dave Macias wrote:
> > > *I wanted to see if I could make the cache file user-specific,
instead of
> > > the default location (/tmp/krb5cc-blabla).*
> > SSH is creating a separate ticket cache file for each login session
and owned by the user.
> > This has been the preferred way to do this for decades.
> > https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd
> >
> > Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks
like it is set by sshd and your environment should have a KRB5CCNAME with that
name.
> > If you share the ticket cache between multiple login sessions, when
the first session ends,
> > the "GSSAPICleanupCredentials yes" will cause the shared
ticket cache to be deleted. Using /tmp means the cache is destroyed upon a
shutdown/restart. /tmp is also a local file system. /home may be on
> > a network disk which has other issues.
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > --
> >
> > Douglas E. Engert <DEEngert at gmail.com>
> >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Douglas E Engert

2024-Jun-13 00:31 UTC

head link

kerberos default_ccache_name with sssd

I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from:
https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197
But it depends on which version of Kerberos you have, and if you are also use
PAM.

Google for: heimdal kerberos cache name
It looks like there is now a SSSD Kerberos Cache Manager rather then storing in
individual file.

On 6/11/2024 7:21 PM, Dave Macias wrote:> Just to show what i mean when i ssh into my vms, 2 vms save the cache in
/tmp and the other 2 in /home. See what happens when i run the loop below:
>
> > for i in rocky8client rocky9client rocky9server rocky8server; do
/usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname;
klist"; done
>
> rocky8client.domain.net <http://rocky8client.domain.net>
> Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa
> Default principal: jdoe at DOMAIN.NET <https://mailto:jdoe at
DOMAIN.NET>
>
> Valid starting Expires Service principal
> 06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET at DOMAIN.NET
<https://mailto:krbtgt/DOMAIN.NET at DOMAIN.NET>
> ?renew until 06/11/2024 17:58:09
>
> rocky9client.domain.net <http://rocky9client.domain.net>
> Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5
> Default principal: jdoe at DOMAIN.NET <https://mailto:jdoe at
DOMAIN.NET>
>
> Valid starting Expires Service principal
> 06/11/24 17:58:10 06/12/24 17:58:10 krbtgt/DOMAIN.NET at DOMAIN.NET
<https://mailto:krbtgt/DOMAIN.NET at DOMAIN.NET>
> ?renew until 06/11/24 17:58:10
> Your password will expire in 23 hours.
>
> rocky9server.domain.net <http://rocker9server.domain.net>
> Ticket cache: FILE:/home/jdoe/.krb5cc_2000
> Default principal: jdoe at DOMAIN.NET <https://mailto:jdoe at
DOMAIN.NET>
>
> Valid starting Expires Service principal
> 06/11/24 21:58:11 06/12/24 21:58:11 krbtgt/DOMAIN.NET at DOMAIN.NET
<https://mailto:krbtgt/DOMAIN.NET at DOMAIN.NET>
> ?renew until 06/11/24 21:58:11
>
> rocky8server.domain.net <http://rocker8server.domain.net>
> Ticket cache: FILE:/home/jdoe/.krb5cc_2000
> Default principal: jdoe at DOMAIN.NET <https://mailto:jdoe at
DOMAIN.NET>
>
> Valid starting Expires Service principal
> 06/11/24 21:58:12 06/12/24 21:58:12 krbtgt/DOMAIN.NET at DOMAIN.NET
<https://mailto:krbtgt/DOMAIN.NET at DOMAIN.NET>
> ?renew until 06/11/24 21:58:12
> On Jun 11, 2024 at 5:05?PM -0400, Dave Macias <davama at gmail.com>,
wrote:
>> Thank you both for the replies and explanation!
>>
>> @douglas
>>
>> Can i set KRB5CCNAME somewhere so that it uses /home? Where?
>>
>> But even if i could set the env variable i have this odd behavior:
>>
>> I now have 4 vms running.
>> 2 are rocky8 and 2 are rocky9, with same settings and versions I stated
on my first post.
>>
>> From the 4 vms, when I ssh into them, 2 of them set a cache file in the
users home and the other two save it in /tmp.
>> I cant seem to understand why my other two vms do not want to setup the
cache in the /home.
>>
>> The only difference i can think of is that the two vms that do use
/home, are the actual kdc/ldap servers. The two ?bad? vms are clients, only
running sssd/sshd.
>>
>> Upon ssh login to each of the 4 vms, a KRB5CCNAME=FILE:/bla environment
variable is set; which will be /tmp or /home, depending on the vm.
>>
>> Someone requested a trace, so ill post that tomorrow, hopefully it will
be helpful.
>>
>> Appreciate very much you all?s input!
>>
>> Best,
>> Dave
>> On Jun 11, 2024 at 2:00?PM -0400, Douglas E Engert <deengert at
gmail.com>, wrote:
>>>
>>>
>>> On 6/6/2024 8:26 AM, Dave Macias wrote:
>>>> *I wanted to see if I could make the cache file user-specific,
instead of
>>>> the default location (/tmp/krb5cc-blabla).*
>>> SSH is creating a separate ticket cache file for each login session
and owned by the user.
>>> This has been the preferred way to do this for decades.
>>> https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd
>>>
>>> Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK"
looks like it is set by sshd and your environment should have a KRB5CCNAME with
that name.
>>> If you share the ticket cache between multiple login sessions, when
the first session ends,
>>> the "GSSAPICleanupCredentials yes" will cause the shared
ticket cache to be deleted. Using /tmp means the cache is destroyed upon a
shutdown/restart. /tmp is also a local file system. /home may be on
>>> a network disk which has other issues.
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>> --
>>>
>>> Douglas E. Engert <DEEngert at gmail.com>
>>>
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 

  Douglas E. Engert  <DEEngert at gmail.com>

Apparently Analagous Threads

Search for more apparently analagous threads

openssh unix dev - Jun 2024 - kerberos default_ccache_name with sssd

kerberos default_ccache_name with sssd

kerberos default_ccache_name with sssd

Apparently Analagous Threads