From owner-freebsd-stable@freebsd.org  Sun Jan 24 15:02:13 2016
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B38B9D233C;
 Sun, 24 Jan 2016 15:02:13 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3C58FB70;
 Sun, 24 Jan 2016 15:02:13 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD))
 (envelope-from <slw@zxy.spb.ru>)
 id 1aNMB9-000AjQ-9l; Sun, 24 Jan 2016 18:02:11 +0300
Date: Sun, 24 Jan 2016 18:02:11 +0300
From: Slawa Olhovchenkov <slw@zxy.spb.ru>
To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no>
Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org,
 freebsd-security@freebsd.org
Subject: Re: HPN and None options in OpenSSH
Message-ID: <20160124150211.GQ88527@zxy.spb.ru>
References: <86mvrxvg79.fsf@desk.des.no> <20160124141847.GM37895@zxy.spb.ru>
 <86oacbc9q2.fsf@desk.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <86oacbc9q2.fsf@desk.des.no>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: slw@zxy.spb.ru
X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 15:02:13 -0000

On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > Can you do some small discurs about ssh+kerberos?
> > I am try to use FreeBSD with $HOME over kerberoized NFS.
> > For kerberoized NFS gssd need to find cache file "called
> > /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC
> > caller" (from `man gssd`).
> >
> > sshd contrary create cache file for received ticket called
> > /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is
> > this strong security  requirement or [FreeBSD/upstream] can be patched
> > (or introduce option) to use /tmp/krb5cc_<uid> as cache file for
> > received ticket?
> 
> I wasn't aware of that.  It should be easy to patch, but in the

Yes, I am already do ugly patch for me (2 files need to patch), but patch in
upstream preffered.

> meantime, you can try something like this in .bashrc or whatever:

Imposible. For accessing .bashrc on kerberoized NFS need correct /tmp/krb5cc_<uid>.

> krb5cc_uid="/tmp/krb5cc_$(id -u)"
> if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
>         if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
>                 export KRB5CCNAME="${krb5ccuid}"
>         else        
>                 echo "Unable to rename krb5 credential cache" >&2
>         fi
> fi
> unset krb5ccuid
> 
> DES
> -- 
> Dag-Erling Smørgrav - des@des.no