Bug#668195: openssh-server: Forwarded Kerberos ticket has the wrong filename

[Russ Allbery <rra@debian.org>]

Liam Healy <lnp@healy.washington.dc.us> writes:

> Because I use two Kerberos realms simultaneously, and I need to
> distinguish them somehow.  I rename them with the realm name as part of
> the file name.  I was using "KRB5CCNAME" in my report as a proxy for the
> filename, what I should have said is that ticket file name is being
> changed from what it is on the ssh client.  In addition, it seems that
> only $KRB5CCNAME ticket is forwarded; it would be nice to be able to
> forward more than one ticket.  If there's a better way to keep track of
> tickets than renaming the file, I'll do that.

Ah, yes, that's a tricky problem.

Basically, Kerberos on UNIX only understands one TGT at a time and will
only forward one, so you have to hack together something else to handle
multiple ticket forwarding and ticket renaming.  Unfortunately, there
isn't a good solution.  The *right* solution is multi-ticket ticket caches
with corresponding forwarding (although it's hard to forward a ticket from
a realm other than the server's realm securely), but this isn't really
there on UNIX.

I would add some code to your shell initialization files (.bashrc or the
like) to determine what realm of a ticket got forwarded with klist and
then rename it after login, setting KRB5CCNAME to follow.  That will be
reliable in the face of whatever sshd does.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>