On Mon, Apr 9, 2012 at 11:32 PM, Russ Allbery
<rra@debian.org> wrote:
Liam Healy <lnp@healy.washington.dc.us> writes:
> When sshing to this computer with forwarded tickets, the filename is
> changed from what is defined by $KRBCCNAME on the client to some kind of
> default naming /tmp/krb5ccname_<uid>_xxxxx. This means that the ticket
> is there, but not under the expected name, so setting $KRB5CCNAME on the
> server to the same value on the client means that the ticket is not
> seen. This worked correctly under lenny.
Why would you do that, rather than just let sshd set KRB5CCNAME to the
appropriate value, which it will do automatically? KRB5CCNAME should
generally always point to a randomly-named ticket cache as long as files
in /tmp are used, since otherwise you raise the possibility of DoS attacks
and other annoyances due to known-file-name attacks in /tmp.
KRB5CCNAME is a system-local setting. It doesn't make sense to forward it
from one system to another. The remote system could be using something
completely different to store the ticket cache, like KCM or kernel keyring
caches.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Because I use two Kerberos realms simultaneously, and I need to distinguish them somehow. I rename them with the realm name as part of the file name. I was using "KRB5CCNAME" in my report as a proxy for the filename, what I should have said is that ticket file name is being changed from what it is on the ssh client. In addition, it seems that only $KRB5CCNAME ticket is forwarded; it would be nice to be able to forward more than one ticket. If there's a better way to keep track of tickets than renaming the file, I'll do that.
Thanks,
Liam