From owner-freebsd-questions@FreeBSD.ORG Thu May 5 14:50:00 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A47E216A4CE for ; Thu, 5 May 2005 14:50:00 +0000 (GMT) Received: from mail.seekingfire.com (static24-72-123-45.regina.accesscomm.ca [24.72.123.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04F6543D72 for ; Thu, 5 May 2005 14:50:00 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 263EA126; Thu, 5 May 2005 08:49:52 -0600 (CST) Date: Thu, 5 May 2005 08:49:52 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20050505144952.GK91867@seekingfire.com> References: <20050504213330.45410.qmail@web50408.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050504213330.45410.qmail@web50408.mail.yahoo.com> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does X-No-prize-winner: Nathanael User-Agent: Mutt/1.5.9i Subject: Re: Kerberos 5 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2005 14:50:00 -0000 On Wed, May 04, 2005 at 02:33:30PM -0700, Damian Sobieralski wrote: > > I have a fairly weird question for the group. I recently set up a > FreeBSD 5.3 box to use pam_krb5 for sshd authentication. It worked > great. I created a local workstation user via adduser and when it came > time for the password based question, I selected no. So when I logged > in, I typed "klist" and got some verbage back about my ticket in /tmp. > > I rebuilt the box and although I can log into the box, when I type > klist now I get: > > klist: No ticket file: /tmp/krb5cc_0 > > Or some variation of the ticket file name. It authenticates me okay > via kerneros or I couldn't get logged in, but any idea why this might > happen? How did you confirm that you were authenticating via Kerberos? Do you have an environment variable like KRB5CCNAME set anywhere? Which Kerberos are you talking about? The limited Heimdal in the base OS, the full Heimdal port or the MIT port? Do you have more than one in use and are perhaps running into path issues (running a different program than you think you're running)? > BTW- I read online that storing tickets like this (in /tmp) is > potentially a security risk for a server so the thought was to change > it to home directory tickets like the website recommends. It depends. In my environment, /home is NFS mounted. This is a Very Bad Thing for Kerberos tickets. In my case, each computer is basically a single-user workstation and /tmp actually is safer than /home. -T -- "Beauty is not diminished by being shared." -- Robert Heinlein