Re: kerberos default_ccache_name with sssd

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from:
https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197
But it depends on which version of Kerberos you have, and if you are also use PAM.

Google for: heimdal kerberos cache name
It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file.

On 6/11/2024 7:21 PM, Dave Macias wrote:
Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below:

> for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done

rocky8client.domain.net <http://rocky8client.domain.net>
Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa
Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>

Valid starting Expires Service principal
06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
 renew until 06/11/2024 17:58:09

rocky9client.domain.net <http://rocky9client.domain.net>
Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5
Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>

Valid starting Expires Service principal
06/11/24 17:58:10 06/12/24 17:58:10 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
 renew until 06/11/24 17:58:10
Your password will expire in 23 hours.

rocky9server.domain.net <http://rocker9server.domain.net>
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>

Valid starting Expires Service principal
06/11/24 21:58:11 06/12/24 21:58:11 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
 renew until 06/11/24 21:58:11

rocky8server.domain.net <http://rocker8server.domain.net>
Ticket cache: FILE:/home/jdoe/.krb5cc_2000
Default principal: jdoe@xxxxxxxxxx <https://mailto:jdoe@xxxxxxxxxx>

Valid starting Expires Service principal
06/11/24 21:58:12 06/12/24 21:58:12 krbtgt/DOMAIN.NET@xxxxxxxxxx <https://mailto:krbtgt/DOMAIN.NET@xxxxxxxxxx>
 renew until 06/11/24 21:58:12
On Jun 11, 2024 at 5:05 PM -0400, Dave Macias <davama@xxxxxxxxx>, wrote:
Thank you both for the replies and explanation!

@douglas

Can i set KRB5CCNAME somewhere so that it uses /home? Where?

But even if i could set the env variable i have this odd behavior:

I now have 4 vms running.
2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post.

From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the other two save it in /tmp.
I cant seem to understand why my other two vms do not want to setup the cache in the /home.

The only difference i can think of is that the two vms that do use /home, are the actual kdc/ldap servers. The two “bad” vms are clients, only running sssd/sshd.

Upon ssh login to each of the 4 vms, a KRB5CCNAME=FILE:/bla environment variable is set; which will be /tmp or /home, depending on the vm.

Someone requested a trace, so ill post that tomorrow, hopefully it will be helpful.

Appreciate very much you all’s input!

Best,
Dave
On Jun 11, 2024 at 2:00 PM -0400, Douglas E Engert <deengert@xxxxxxxxx>, wrote:


On 6/6/2024 8:26 AM, Dave Macias wrote:
*I wanted to see if I could make the cache file user-specific, instead of
the default location (/tmp/krb5cc-blabla).*
SSH is creating a separate ticket cache file for each login session and owned by the user.
This has been the preferred way to do this for decades.
https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd

Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
If you share the ticket cache between multiple login sessions, when the first session ends,
the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
a network disk which has other issues.
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--

Douglas E. Engert <DEEngert@xxxxxxxxx>


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux