Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Jan 2016 12:28:20 +0100
From:      Jan Bramkamp <crest@rlwinm.de>
To:        freebsd-current@freebsd.org
Subject:   Re: HPN and None options in OpenSSH
Message-ID:  <56A606D4.2010100@rlwinm.de>
In-Reply-To: <86oacbc9q2.fsf@desk.des.no>
References:  <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 


On 24/01/16 15:50, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
>> Can you do some small discurs about ssh+kerberos?
>> I am try to use FreeBSD with $HOME over kerberoized NFS.
>> For kerberoized NFS gssd need to find cache file "called
>> /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC
>> caller" (from `man gssd`).
>>
>> sshd contrary create cache file for received ticket called
>> /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is
>> this strong security  requirement or [FreeBSD/upstream] can be patched
>> (or introduce option) to use /tmp/krb5cc_<uid> as cache file for
>> received ticket?
>
> I wasn't aware of that.  It should be easy to patch, but in the
> meantime, you can try something like this in .bashrc or whatever:
>
> krb5cc_uid="/tmp/krb5cc_$(id -u)"
> if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
>          if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
>                  export KRB5CCNAME="${krb5ccuid}"
>          else
>                  echo "Unable to rename krb5 credential cache" >&2
>          fi
> fi
> unset krb5ccuid

If $KRB5CCNAME is set during PAM session setup than the pam_exec module 
might allow a reliable implementation along those lines:

   - Stop if $KRBCCNAME is invalid (klist -t)
   - Stop if /tmp/krb5cc_$UID is already valid and has enough time left
   - Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID.

Keep in mind that this approach leaves valid tickets in /tmp after the 
SSH session ends while OpenSSH normally does its best to tie forwarded 
tickets to a SSH session.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A606D4.2010100>