Re: kerberos default_ccache_name with sssd

[Douglas E Engert <deengert@xxxxxxxxx>]

I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from:
https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197
But it depends on which version of Kerberos you have, and if you are also use PAM.

Google for: heimdal kerberos cache name
It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file.

On 6/11/2024 7:21 PM, Dave Macias wrote:
> Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below:
>
> > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done
>
> rocky8client.domain.net <http://rocky8client.domain.net>
> Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa
> Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>
>
> Valid starting Expires Service principal
> 06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
>  renew until 06/11/2024 17:58:09
>
> rocky9client.domain.net <http://rocky9client.domain.net>
> Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5
> Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>
>
> Valid starting Expires Service principal
> 06/11/24 17:58:10 06/12/24 17:58:10 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
>  renew until 06/11/24 17:58:10
> Your password will expire in 23 hours.
>
> rocky9server.domain.net <http://rocker9server.domain.net>
> Ticket cache: FILE:/home/jdoe/.krb5cc_2000
> Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>
>
> Valid starting Expires Service principal
> 06/11/24 21:58:11 06/12/24 21:58:11 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
>  renew until 06/11/24 21:58:11
>
> rocky8server.domain.net <http://rocker8server.domain.net>
> Ticket cache: FILE:/home/jdoe/.krb5cc_2000
> Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>
>
> Valid starting Expires Service principal
> 06/11/24 21:58:12 06/12/24 21:58:12 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
>  renew until 06/11/24 21:58:12
> On Jun 11, 2024 at 5:05 PM -0400, Dave Macias <davama@xxxxxxxxx>, wrote:
> > Thank you both for the replies and explanation!
> >
> > @douglas
> >
> > Can i set KRB5CCNAME somewhere so that it uses /home? Where?
> >
> > But even if i could set the env variable i have this odd behavior:
> >
> > I now have 4 vms running.
> > 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post.
> >
> > From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the other two save it in /tmp.
> > I cant seem to understand why my other two vms do not want to setup the cache in the /home.
> >
> > The only difference i can think of is that the two vms that do use /home, are the actual kdc/ldap servers. The two “bad” vms are clients, only running sssd/sshd.
> >
> > Upon ssh login to each of the 4 vms, a KRB5CCNAME=FILE:/bla environment variable is set; which will be /tmp or /home, depending on the vm.
> >
> > Someone requested a trace, so ill post that tomorrow, hopefully it will be helpful.
> >
> > Appreciate very much you all’s input!
> >
> > Best,
> > Dave
> > On Jun 11, 2024 at 2:00 PM -0400, Douglas E Engert <deengert@xxxxxxxxx>, wrote:
> > > On 6/6/2024 8:26 AM, Dave Macias wrote:
> > > > *I wanted to see if I could make the cache file user-specific, instead of
> > > > the default location (/tmp/krb5cc-blabla).*
> > > SSH is creating a separate ticket cache file for each login session and owned by the user.
> > > This has been the preferred way to do this for decades.
> > > https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd
> > >
> > > Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
> > > If you share the ticket cache between multiple login sessions, when the first session ends,
> > > the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
> > > a network disk which has other issues.
> > > > openssh-unix-dev mailing list
> > > > openssh-unix-dev@xxxxxxxxxxx
> > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
> > > --
> > >
> > > Douglas E. Engert <DEEngert@xxxxxxxxx>
> > >
> > >
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev@xxxxxxxxxxx
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>
 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev