kerberos default_ccache_name with sssd

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Good day everyone,

I am currently testing integrating kerberos into our MMR openldap cluster
and things have gone well so far.

I can ssh to my test clients using my kerberos credentials then ssh using
GSSAPI to other hosts as defined in my principals using my ticket,
achieving SSO.

*I wanted to see if I could make the cache file user-specific, instead of
the default location (/tmp/krb5cc-blabla).*

I configured sssd.conf with:
krb5_ccachedir = %h
krb5_ccname_template = FILE:%d/.krb5cc_%U

I configured krb5.conf with:
[libdefaults]
    default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid}

My sshd_config has the following:
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
UseDNS yes

*What I noticed:*
When I ssh to the host I can see that klist shows my cache file under /tmp:
Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK
Default principal: jdoe@xxxxxxxxxx

Valid starting       Expires              Service principal
06/06/2024 09:06:40  06/07/2024 09:06:40  krbtgt/DOMAIN.NET@xxxxxxxxxx
renew until 06/06/2024 09:06:40

If I instead `su` to the user then `echo pass | kinit` my cache file is
respected:
[root@krbhost3 ~]# su - jdoe
[jdoe@krbhost3 ~]$ klist
klist: No credentials cache found (filename: /home/jdoe/.krb5cc_jdoe)
[jdoe@krbhost3 ~]$ echo password | kinit
Password for jdoe@xxxxxxxxxx:
[jdoe@krbhost3 ~]$ klist
Ticket cache: FILE:/home/jdoe/.krb5cc_jdoe
Default principal: jdoe@xxxxxxxxxx

Valid starting       Expires              Service principal
06/06/2024 09:08:03  06/07/2024 09:08:03  krbtgt/NWK.JWM2.NET@xxxxxxxxxx
renew until 06/06/2024 09:08:03

So it seems that sssd does as configured and places the cache file in the
correct location but when I ssh into the host, it goes to the default
location.

I also tried setting the KRB5CCNAME environment variable in
/etc/sysconfig/sshd file but sshd still prefers the defaults.

I am using pam_sss and not pam_krb5. (authselect select sssd with-mkhomedir
--force)

*My environment: (3 hosts total)*
rockylinux9: (x2)
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
krb5-server-1.21.1-1
sssd-2.9.4-6
symas-openldap-servers-2.6.7-2

rockylinux8: (1x)
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
krb5-server-1.18.2-27
sssd-2.9.4-3

Not sure if this is a redhat issue (since openssh is older on my systems)
or a misconfiguration on my part.

Any input is very much appreciated.

Best,
Dave
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux