From owner-freebsd-current@freebsd.org Mon Jan 25 17:08:31 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA0B3A46866 for ; Mon, 25 Jan 2016 17:08:31 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE0266E for ; Mon, 25 Jan 2016 17:08:31 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNkct-000J5k-NL; Mon, 25 Jan 2016 20:08:27 +0300 Date: Mon, 25 Jan 2016 20:08:27 +0300 From: Slawa Olhovchenkov To: Jan Bramkamp Cc: freebsd-current@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160125170827.GN37895@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no> <56A606D4.2010100@rlwinm.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <56A606D4.2010100@rlwinm.de> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2016 17:08:31 -0000 On Mon, Jan 25, 2016 at 12:28:20PM +0100, Jan Bramkamp wrote: > > > On 24/01/16 15:50, Dag-Erling Smørgrav wrote: > > Slawa Olhovchenkov writes: > >> Can you do some small discurs about ssh+kerberos? > >> I am try to use FreeBSD with $HOME over kerberoized NFS. > >> For kerberoized NFS gssd need to find cache file "called > >> /tmp/krb5cc_, where is the effective uid for the RPC > >> caller" (from `man gssd`). > >> > >> sshd contrary create cache file for received ticket called > >> /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is > >> this strong security requirement or [FreeBSD/upstream] can be patched > >> (or introduce option) to use /tmp/krb5cc_ as cache file for > >> received ticket? > > > > I wasn't aware of that. It should be easy to patch, but in the > > meantime, you can try something like this in .bashrc or whatever: > > > > krb5cc_uid="/tmp/krb5cc_$(id -u)" > > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then > > if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then > > export KRB5CCNAME="${krb5ccuid}" > > else > > echo "Unable to rename krb5 credential cache" >&2 > > fi > > fi > > unset krb5ccuid > > If $KRB5CCNAME is set during PAM session setup than the pam_exec module > might allow a reliable implementation along those lines: > > - Stop if $KRBCCNAME is invalid (klist -t) > - Stop if /tmp/krb5cc_$UID is already valid and has enough time left > - Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID. > > Keep in mind that this approach leaves valid tickets in /tmp after the > SSH session ends while OpenSSH normally does its best to tie forwarded > tickets to a SSH session. Please check me: you propose to add to /etc/pam.d/sshd string like session required pam_exec.so /patch/to/some/scripts and do above checks in this scripts? 'session' executed after 'account' phase, on 'account' phase NFS must be already accessed (for checks presents some files in $HOME and importing/executing/interpretating, like .login_conf, .k5login and etc).