search for: krb5ccname

I believe there is a bug in how AIX handles the KRB5CCNAME environment variable. The symptom occurs when a root user restarts sshd while they have KRB5CCNAME set; all of the resulting client connections will inherit the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or some other kerberized method of obtaining root privilege...

https://bugzilla.mindrot.org/show_bug.cgi?id=2815 Bug ID: 2815 Summary: please set KRB5CCNAME to collection Product: Portable OpenSSH Version: 7.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org...

http://bugzilla.mindrot.org/show_bug.cgi?id=757 Summary: KRB5CCNAME inherited from root's environment under AIX Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-bugs at min...

...ning Windows and we Linux users are using the centrally provided printing system through SMB-Kerberos. Everything works fine in 14.04. After upgrading to 16.04 everything works except the printing. As I mentioned earlier I see that double backslashes are used in 16.04 when SMBSPOOL_KRB5 is setting KRB5CCNAME, can that cause this problem? Ubuntu 16.04 /var/log/cups/error_log: SMBSPOOL_KRB5 - Setting KRB5CCNAME to \'FILE:/tmp/krb5cc_1000\' Ubuntu 14.04 /var/log/cups/error_log: SMBSPOOL_KRB5 - Setting KRB5CCNAME to 'FILE:/tmp/krb5cc_1000' Do you have any idea about what the error "HT...

http://bugzilla.mindrot.org/show_bug.cgi?id=751 Summary: KRB5CCNAME set incorrectly in GSSAPI code Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: openssh-bugs at mindrot...

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of operation? Jeff Layton (2): cifs.upcall: switch group IDs when handling an upcall cifs.upcall: allow scraping of KRB5CCN...

...ed at the end of the message). I think my config is OK and I can open a _graphical_ session with an AD account user. The display manager of the computer is Lightdm. For for instance, I can open a graphical session with the AD account bob (uid == 14001). In this case, I have the environment variable KRB5CCNAME which is well set in the graphical session of bob: # In a gnome-terminal of the bob graphical session, I have: bob at stretch:~$ env | grep KR KRB5CCNAME=FILE:/tmp/krb5cc_14001_I1H5wf bob at stretch:~$ ls -l /tmp/krb5cc_14001_I1H5wf -rw------- 1 bob domusers 3534 Apr 11 15:43 /tmp/krb5c...

...39;m guessing the difference is in logon mechanism; root is logged on locally while the 1000* UIDs are logging in over SSH. Eliminating the random element would not be feasible as a single user may have multiple Kerberos cached credentials. The correct behaviour should be to read the value of the KRB5CCNAME variable, which if present, should point to the correct location of the Kerberos cached credentials for that session, and if not, use the present default of /tmp/krb5cc_UID. Example output: KRB5CCNAME=FILE:/tmp/krb5cc_10000_IKsPGl4129 At no point in the strace logs of both successful and faile...

http://bugzilla.mindrot.org/show_bug.cgi?id=372 Summary: [authkrb5] : KRB5CCNAME set to pointer Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:...

...ded from the session. When the kernel does an upcall, it passes several bits of info about the task that initiated the upcall. One of those things is the PID (the tgid, in particular). We can use that info to reach into the /proc/<pid>/environ file for the process, and grab whatever value of KRB5CCNAME is there. This patch adds this ability to cifs.upcall. I'm not 100% convinced that this is a good idea however, so for now, this is disabled unless the command line has a '-e' switch. Anyone wishing to play with this should edit their /etc/request-key.conf files accordingly. Signed-o...

I'm using a OpenSSH 3.0.2p1 with the krb5 patch from <http://www.sxw.org.uk/computing/patches/openssh.html>. I'm getting KRB5CCNAME set to "" even though <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98269278629018&w=2> mentions fixing it. This causes things like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines I use are: # To change Kerberos options Kerbe...

.../bugzilla.mindrot.org/show_bug.cgi?id=372 basalt at easynet.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement Summary|[authkrb5] : KRB5CCNAME set |[RFE] [authkrb5] : |to pointer |KRB5CCNAME set to pointer ------- Additional Comments From basalt at easynet.fr 2002-07-30 18:49 ------- think this is not a bug but just a functionnality partially implemented ------- You are receiving this mail becau...

...> > about the > > > task that initiated the upcall. One of those things is the PID (the > > > tgid, in particular). We can use that info to reach into the > > > /proc/<pid>/environ file for the process, and grab whatever value > > > of > > > KRB5CCNAME is there.  This patch adds this ability to cifs.upcall. > > > > > > I'm not 100% convinced that this is a good idea however, so for > > > now, > > > this is disabled unless the command line has a '-e' switch. Anyone > > > wishing to play wit...

...rg/show_bug.cgi?id=372 ------- Additional Comments From simon at sxw.org.uk 2003-05-21 00:45 ------- If this is reproducable, then its a bug somewhere. Could you confirm which Kerberos library and version you've seen this problem with? Are the credentials correctly created in /tmp, and KRB5CCNAME just isn't set right, or are the credentials not being created at all? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=757 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #498 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-12-23 00:44 -------

...What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |793 nThis| | Summary|Specify FILE: for credential|Specify FILE: for KRB5CCNAME |caches | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Thank you both for the replies and explanation! @douglas Can i set?KRB5CCNAME somewhere so that it uses /home? Where? But even if i could set the env variable i have this odd behavior: I now have 4 vms running. 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. From the 4 vms, when I ssh into them, 2 of them set a cache file in the u...

...ities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert two flags from int to bool cifs.upcall: switch group IDs when handling an upcall cifs.upcall: drop capabilities early in program cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file Makefile.am | 2 +- cifs.upcall.8.in | 9 ++ cifs.upcall.c | 255 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 256 insertions(+), 10 deletions(-) -- 2.9.3

...see if I could make the cache file user-specific, instead of > the default location (/tmp/krb5cc-blabla).* SSH is creating a separate ticket cache file for each login session and owned by the user. This has been the preferred way to do this for decades. https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name. If you share the ticket cache between multiple login sessions, when the first session ends, the "GSSAPICleanupCredentials yes&qu...

...for sshd to correspondingly skip pam_setcred() during session exit? What will happen if we take that approach? As I understand it, pam_setcred() is called as part of the authentication phase as well as part of the session exit phase. When called during authentication, pam_setcred() sets the KRB5CCNAME environment variable to the credentials file name, and when called during session exit, pam_setcred() is called to delete that credentials file. The problem: Consider a server with pam.conf set up for PAM_KERBEROS all the way (authentication, acct management, session management, the works)....