Toby, you are mostly interested in this because you have some sort of policy, perhaps one that doesn't allow secrets to be stored on disk in clear text and protected just by filesystem permissions?
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1889548 Title: ssh using gssapi will enforce FILE: credentials cache Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Confirmed Bug description: Hi, ssh connections from a client with the following in ssh_config... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ... to an ubuntu 20.04 machine result in KRB5CCNAME being set to 'FILE:/tmp/krb5cc_[uid]_[random]' despite the following in /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} This means that we cannot enforce a policy to use KEYRING ccaches across our systems. Authentications which go via the pam stack (e.g. login to the machine at the console or over ssh using a password) can be configured to use a KEYRING ccache, via libpam-krb5 settings in /etc/krb5.conf. The FILE: setting seems to be hard-coded in the openssh code (auth- krb5.c). It would be great if ssh(gssapi-with-mic) connections either (a) set KRB5CCNAME to the default_ccache_name value, if set in /etc/krb5.conf, or (b) didn't set KRB5CCNAME at all, so the system default is used. Many thanks Toby Blake School of Informatics University of Edinburgh To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1889548/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
