From owner-freebsd-current@freebsd.org Mon Jan 25 11:28:24 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A37BA458E1 for ; Mon, 25 Jan 2016 11:28:24 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DD3ADCA9 for ; Mon, 25 Jan 2016 11:28:23 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.local (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id DFB1CFF29 for ; Mon, 25 Jan 2016 12:28:20 +0100 (CET) Subject: Re: HPN and None options in OpenSSH To: freebsd-current@freebsd.org References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> From: Jan Bramkamp Message-ID: <56A606D4.2010100@rlwinm.de> Date: Mon, 25 Jan 2016 12:28:20 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <86oacbc9q2.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2016 11:28:24 -0000 On 24/01/16 15:50, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: >> Can you do some small discurs about ssh+kerberos? >> I am try to use FreeBSD with $HOME over kerberoized NFS. >> For kerberoized NFS gssd need to find cache file "called >> /tmp/krb5cc_, where is the effective uid for the RPC >> caller" (from `man gssd`). >> >> sshd contrary create cache file for received ticket called >> /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is >> this strong security requirement or [FreeBSD/upstream] can be patched >> (or introduce option) to use /tmp/krb5cc_ as cache file for >> received ticket? > > I wasn't aware of that. It should be easy to patch, but in the > meantime, you can try something like this in .bashrc or whatever: > > krb5cc_uid="/tmp/krb5cc_$(id -u)" > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then > if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then > export KRB5CCNAME="${krb5ccuid}" > else > echo "Unable to rename krb5 credential cache" >&2 > fi > fi > unset krb5ccuid If $KRB5CCNAME is set during PAM session setup than the pam_exec module might allow a reliable implementation along those lines: - Stop if $KRBCCNAME is invalid (klist -t) - Stop if /tmp/krb5cc_$UID is already valid and has enough time left - Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID. Keep in mind that this approach leaves valid tickets in /tmp after the SSH session ends while OpenSSH normally does its best to tie forwarded tickets to a SSH session.