Date: Sun, 24 Jan 2016 18:02:11 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no> Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124150211.GQ88527@zxy.spb.ru> In-Reply-To: <86oacbc9q2.fsf@desk.des.no> References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru> <86oacbc9q2.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > Can you do some small discurs about ssh+kerberos?
> > I am try to use FreeBSD with $HOME over kerberoized NFS.
> > For kerberoized NFS gssd need to find cache file "called
> > /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC
> > caller" (from `man gssd`).
> >
> > sshd contrary create cache file for received ticket called
> > /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is
> > this strong security requirement or [FreeBSD/upstream] can be patched
> > (or introduce option) to use /tmp/krb5cc_<uid> as cache file for
> > received ticket?
>
> I wasn't aware of that. It should be easy to patch, but in the
Yes, I am already do ugly patch for me (2 files need to patch), but patch in
upstream preffered.
> meantime, you can try something like this in .bashrc or whatever:
Imposible. For accessing .bashrc on kerberoized NFS need correct /tmp/krb5cc_<uid>.
> krb5cc_uid="/tmp/krb5cc_$(id -u)"
> if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
> if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
> export KRB5CCNAME="${krb5ccuid}"
> else
> echo "Unable to rename krb5 credential cache" >&2
> fi
> fi
> unset krb5ccuid
>
> DES
> --
> Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160124150211.GQ88527>