Liam Healy <l...@healy.washington.dc.us> writes: > When sshing to this computer with forwarded tickets, the filename is > changed from what is defined by $KRBCCNAME on the client to some kind of > default naming /tmp/krb5ccname_<uid>_xxxxx. This means that the ticket > is there, but not under the expected name, so setting $KRB5CCNAME on the > server to the same value on the client means that the ticket is not > seen. This worked correctly under lenny.
Why would you do that, rather than just let sshd set KRB5CCNAME to the appropriate value, which it will do automatically? KRB5CCNAME should generally always point to a randomly-named ticket cache as long as files in /tmp are used, since otherwise you raise the possibility of DoS attacks and other annoyances due to known-file-name attacks in /tmp. KRB5CCNAME is a system-local setting. It doesn't make sense to forward it from one system to another. The remote system could be using something completely different to store the ticket cache, like KCM or kernel keyring caches. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
