Mailing List Archive

[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections?
https://bugzilla.mindrot.org/show_bug.cgi?id=3203

Jakub Jelen <jjelen@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen@redhat.com

--- Comment #1 from Jakub Jelen <jjelen@redhat.com> ---
We use several patches to do that in RHEL/Fedora and this was already
proposed in bug #2775, but without any feedback from OpenSSH
developers.

Feel free to use the patches we use (might need updating from version
posted in the bug). But note that there is still many people interested
in using per-session caches.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3203

--- Comment #2 from Toby Blake <toby@inf.ed.ac.uk> ---
(In reply to Jakub Jelen from comment #1)
> We use several patches to do that in RHEL/Fedora and this was
> already proposed in bug #2775, but without any feedback from OpenSSH
> developers.
>
> Feel free to use the patches we use (might need updating from
> version posted in the bug). But note that there is still many people
> interested in using per-session caches.

Hi Jakub,

Thanks for the reply. I've tried a (slightly reworked to get it to
apply) version of openssh-7.7p1-gssapi-new-unique.patch but it doesn't
seem to quite do what I want it to do, specifically it always gives me
a new unique ccache, rather than using e.g. KEYRING:persistent:%{uid}.
It may be that in reworking it I've messed it up somewhat so I need to
find some time to look at it in more detail.

Cheers
Toby

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3203

--- Comment #3 from Jakub Jelen <jjelen@redhat.com> ---
Hi,
the current version we use in Fedora lives here so it could have gone
through some updates and fixes since 2 years ago:

https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.7p1-gssapi-new-unique.patch

The new unique cache in the given collection is probably the most
sensible way of doing this. Or you suggest that you would like the new
login to override existing tickets in the ccache? Or you still see the
ccache in /tmp being used? What configuration did you try?

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3203] Could default_ccache_name from krb5.conf be used for GSSAPI connections? [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3203

--- Comment #4 from Toby Blake <toby@inf.ed.ac.uk> ---
(In reply to Jakub Jelen from comment #3)
> Hi,
> the current version we use in Fedora lives here so it could have
> gone through some updates and fixes since 2 years ago:
>
> https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.
> 7p1-gssapi-new-unique.patch

Hi, this is the patch I've tried to rework for ubuntu.

> The new unique cache in the given collection is probably the most
> sensible way of doing this. Or you suggest that you would like the
> new login to override existing tickets in the ccache? Or you still
> see the ccache in /tmp being used? What configuration did you try?

What I'd like is to be able to set

[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}

... in /etc/krb5.conf and for (gssapi) ssh connections to use this, in
the same way that I can set it for PAM connections.

This no doubt works under redhat (and indeed it works for us with
Scientific Linux 7.8 with the addition of a backported
openssh-7.5p1-gss-environment.patch, as discussed in
https://bugzilla.redhat.com/show_bug.cgi?id=1199363)

I think I need to look at the gssapi-new-unique patch again, with a
more complete understanding of the relevant code areas. My reworking
of it is definitely not doing what it should do.

The biggest issue in getting this working is the divergent code bases
between redhat and ubuntu (in particular, I suspect, the gsskex patch).
This is why I'd much prefer this issue to be fixed upstream.

Pending that, I'll look again at the the unique patch.

Cheers
Toby

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs