similar to: Automatically forwarding fresh Kerberos tickets?

I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from: https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197 But it depends on which version of Kerberos you have, and if you are also use PAM. Google for: heimdal kerberos cache name It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file. On 6/11/2024

Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below: > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done rocky8client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa Default

Thank you both for the replies and explanation! @douglas Can i set?KRB5CCNAME somewhere so that it uses /home? Where? But even if i could set the env variable i have this odd behavior: I now have 4 vms running. 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm pleased to (finally) announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate the user to the server, and continues to use SSH host keys to authenticate the server to the

Darren, We have systems which are multihomed for virtualisation, but run only one sshd. You can connect to any IP-address and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way

Thomas Calderon <calderon.thomas at gmail.com> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with

On 10/8/2015 4:49 AM, Simon Josefsson wrote: > Mathias Brossard <mathias at brossard.org> writes: > >> Hi, >> >> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >> support of ssh-agent which will be of interest to other users. > > Nice! What would it take to add support for Ed25519 too? Do we need to > allocate any new PKCS#11

Now that RFC 4462 has been published, I was wondering if there would be any interest in looking again at integrating the key exchange portions of my GSSAPI patch into the OpenSSH tree? As I've mentioned before, key exchange has significant benefits for large sites as it allows them to use Kerberos to authenticate ssh hosts, and removes the need to maintain and distribute ssh known_hosts

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462.

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

On 6/24/2017 11:35 AM, Emmanuel Deloget wrote: > Hello Douglas, > > On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote: > > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing > > a shim for OpenSSL-1.1, the OpenSC code has been converted to > > the OpenSSL-1.1 API and a

On 6/6/2024 8:26 AM, Dave Macias wrote: > *I wanted to see if I could make the cache file user-specific, instead of > the default location (/tmp/krb5cc-blabla).* SSH is creating a separate ticket cache file for each login session and owned by the user. This has been the preferred way to do this for decades. https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd Your: "Ticket

This is weird. As in, *deeply* weird. I ssh as root from one box to another (there are keys involved), and I go to vi a file, such as # line 1 # # line 2 # # line 3 # line 4 And what I see in vi is # line 3 # line 4 BUT, if I scroll the cursor over each line with the arrow key... I see all four lines. I've also looked at another file, and same thing. Just checked it out on the server I

Good Morning, We have a network of Solaris 10 machines authenticating and doing name lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and self/gssapi credentials. Each machine has a machine account that is prepared via a script with the following attributes: userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing a shim for OpenSSL-1.1, the OpenSC code has been converted to the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and macros was written to support older versions of OpenSSL and Libressl. https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h The nice part of this approach is

just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc.... None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and

Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: ------ smb.conf ------security = ADS workgroup = MYDOMAINrealm = MYDOMAIN.ORG log file = /var/log/samba/%m.loglog level = 6enable core files = no idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range =

hello list I have a network mounted home directory shared between all hosts on my network: [bluethundr at LCENT03:~]#df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 140G 4.4G 128G 4% / /dev/sda1 99M 35M 60M 37% /boot tmpfs 1.6G 0 1.6G 0% /dev/shm nas.summitnjhome.com:/mnt/nas

Has anyone had experience with MIT Kerberos tickets not valid after server reboot? After server reboot I have to do a 'kinit' to get a new ticket, re-join the AD domain, and restart samba. Then all is fine until I have to reboot the server again.. Same thing again and again. My time is synced, Kerberos tickets are good for 500d.