Bug#668195: openssh-server: Forwarded Kerberos ticket has the wrong filename
Liam Healy <lnp@healy.washington.dc.us> writes:
> Because I use two Kerberos realms simultaneously, and I need to
> distinguish them somehow. I rename them with the realm name as part of
> the file name. I was using "KRB5CCNAME" in my report as a proxy for the
> filename, what I should have said is that ticket file name is being
> changed from what it is on the ssh client. In addition, it seems that
> only $KRB5CCNAME ticket is forwarded; it would be nice to be able to
> forward more than one ticket. If there's a better way to keep track of
> tickets than renaming the file, I'll do that.
Ah, yes, that's a tricky problem.
Basically, Kerberos on UNIX only understands one TGT at a time and will
only forward one, so you have to hack together something else to handle
multiple ticket forwarding and ticket renaming. Unfortunately, there
isn't a good solution. The *right* solution is multi-ticket ticket caches
with corresponding forwarding (although it's hard to forward a ticket from
a realm other than the server's realm securely), but this isn't really
there on UNIX.
I would add some code to your shell initialization files (.bashrc or the
like) to determine what realm of a ticket got forwarded with klist and
then rename it after login, setting KRB5CCNAME to follow. That will be
reliable in the face of whatever sshd does.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: