On Mon, Apr 9, 2012 at 11:32 PM, Russ Allbery <r...@debian.org> wrote:
> Liam Healy <l...@healy.washington.dc.us> writes: > > > When sshing to this computer with forwarded tickets, the filename is > > changed from what is defined by $KRBCCNAME on the client to some kind of > > default naming /tmp/krb5ccname_<uid>_xxxxx. This means that the ticket > > is there, but not under the expected name, so setting $KRB5CCNAME on the > > server to the same value on the client means that the ticket is not > > seen. This worked correctly under lenny. > > Why would you do that, rather than just let sshd set KRB5CCNAME to the > appropriate value, which it will do automatically? KRB5CCNAME should > generally always point to a randomly-named ticket cache as long as files > in /tmp are used, since otherwise you raise the possibility of DoS attacks > and other annoyances due to known-file-name attacks in /tmp. > > KRB5CCNAME is a system-local setting. It doesn't make sense to forward it > from one system to another. The remote system could be using something > completely different to store the ticket cache, like KCM or kernel keyring > caches. > > -- > Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> > Because I use two Kerberos realms simultaneously, and I need to distinguish them somehow. I rename them with the realm name as part of the file name. I was using "KRB5CCNAME" in my report as a proxy for the filename, what I should have said is that ticket file name is being changed from what it is on the ssh client. In addition, it seems that only $KRB5CCNAME ticket is forwarded; it would be nice to be able to forward more than one ticket. If there's a better way to keep track of tickets than renaming the file, I'll do that. Thanks, Liam
