Discussion:
KRB5CCNAME and sshd
Victor Sudakov
2006-01-26 11:33:50 UTC
Permalink
Colleagues,

I have "GSSAPIAuthentication yes" in sshd_config on the server machine
and in ssh_config on the client machine.

Each time I ssh into the server machine, the value of KRB5CCNAME
(probably set by sshd) is different. Is there a way to keep it
the same every time I login?

The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.

I am running OpenSSH 3.8.1 on FreeBSD 5.x
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
Douglas E. Engert
2006-01-27 16:13:58 UTC
Permalink
Post by Victor Sudakov
Colleagues,
I have "GSSAPIAuthentication yes" in sshd_config on the server machine
and in ssh_config on the client machine.
Each time I ssh into the server machine, the value of KRB5CCNAME
(probably set by sshd) is different. Is there a way to keep it
the same every time I login?
Not really. Most people want session bassed credential cashes,
so that multiple sessions on the same machine do not interfere with
each other. SSH will delete the session cache at the end of a session
if it created it.

But then again you might want be able to refressh credentials,
in your other sessions. This could be done manually by replacing
the UID based common cache and unsetting the KRB5CCNAME set by sshd.
But don't destory the shared cache. Watch out for console logins
that ususlly use the default cache name.
Post by Victor Sudakov
The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
I am running OpenSSH 3.8.1 on FreeBSD 5.x
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Donn Cave
2006-01-27 19:02:43 UTC
Permalink
In article <drdj08$1t50$1 at relay.tomsk.ru>,
I will tell you what I am trying to achieve, perhaps you can give me
advice.
I "kinit -f" on the client box at home and then ssh to the server box
at work. On the server box, I have screen(1) running, which I
reattach after login and detach before logout. It runs for weeks and
even months on end.
You know that all screen "sessions" or "windows" inherit the
environment variables from the shell where screen was started
initially. So, $KRB5CCNAME in the screen "sessions" points to stale
credential caches, even though the fresh credentials have been
correctly forwarded from the client machine and are available in some
new place (but there is no way to inform the applications within
screen about this new place).
I would like to achieve that if my credentials have been forwarded to
the server box, they should be refreshed in all the screen windows.
That certainly must be a manual operation. I don't use screen,
but I suppose you have a number of concurrent shell processes,
and they are not really aware of this connect/disconnect cycle,
so they have no way to know when it's time to update KRB5CCNAME.
You must therefore enter some command, in each window, to get
them to do that.

The command can be a simple one, if you use an alias or shell
procedure. Your shell startup can save the value of KRB5CCNAME
somewhere so the old screen shell can find it.

Donn Cave, donn at u.washington.edu
&quot;Martin v. Löwis&quot;
2006-01-28 11:17:40 UTC
Permalink
However, a manual operation could be easily avoided if I could
persuade sshd to store the forwarded credentials always in the same
place.
Use the source, Luke. In auth-krb5.c:ssh_krb5_cc_gen, the credentials
cache is generated through

snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
mkstemp(ccname + strlen("FILE:"));

No provision for non-temp ccnames is made.

So either change the code, or use a different SSH server, or accept
the way things are.

In your specific case, creating a symlink from a fixed ccname to the
session-created one might do the trick.

Regards,
Martin
Victor Sudakov
2006-01-28 05:37:52 UTC
Permalink
Post by Donn Cave
I will tell you what I am trying to achieve, perhaps you can give me
advice.
I "kinit -f" on the client box at home and then ssh to the server box
at work. On the server box, I have screen(1) running, which I
reattach after login and detach before logout. It runs for weeks and
even months on end.
You know that all screen "sessions" or "windows" inherit the
environment variables from the shell where screen was started
initially. So, $KRB5CCNAME in the screen "sessions" points to stale
credential caches, even though the fresh credentials have been
correctly forwarded from the client machine and are available in some
new place (but there is no way to inform the applications within
screen about this new place).
I would like to achieve that if my credentials have been forwarded to
the server box, they should be refreshed in all the screen windows.
That certainly must be a manual operation. I don't use screen,
but I suppose you have a number of concurrent shell processes,
The applications running under screen are not necessarily shell
processes. They could be applications like a mail client, IRC client etc.
Post by Donn Cave
and they are not really aware of this connect/disconnect cycle,
Correct.
Post by Donn Cave
so they have no way to know when it's time to update KRB5CCNAME.
You must therefore enter some command, in each window, to get
them to do that.
The command can be a simple one, if you use an alias or shell
procedure. Your shell startup can save the value of KRB5CCNAME
somewhere so the old screen shell can find it.
However, a manual operation could be easily avoided if I could
persuade sshd to store the forwarded credentials always in the same
place.

For example, telnetd does not do any such fancy things with unique
KRB5CCNAME for each new login.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
Victor Sudakov
2006-01-29 03:02:35 UTC
Permalink
However, a manual operation could be easily avoided if I could
persuade sshd to store the forwarded credentials always in the same
place.
For example, telnetd does not do any such fancy things with unique
KRB5CCNAME for each new login.
It surely does not in FreeBSD 4.x (and Heimdal from the ports collection).
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
Victor Sudakov
2006-01-27 16:52:27 UTC
Permalink
Post by Douglas E. Engert
But then again you might want be able to refressh credentials,
in your other sessions. This could be done manually by replacing
the UID based common cache and unsetting the KRB5CCNAME set by sshd.
The case is that if I unset the KRB5CCNAME set by sshd, I lose the
forwarded credentials which sshd stores under a unique name, not under
the common name.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
Victor Sudakov
2006-01-27 16:50:16 UTC
Permalink
Post by Douglas E. Engert
Post by Victor Sudakov
I have "GSSAPIAuthentication yes" in sshd_config on the server machine
and in ssh_config on the client machine.
Each time I ssh into the server machine, the value of KRB5CCNAME
(probably set by sshd) is different. Is there a way to keep it
the same every time I login?
Not really. Most people want session bassed credential cashes,
so that multiple sessions on the same machine do not interfere with
each other. SSH will delete the session cache at the end of a session
if it created it.
But then again you might want be able to refressh credentials,
in your other sessions. This could be done manually by replacing
the UID based common cache and unsetting the KRB5CCNAME set by sshd.
But don't destory the shared cache. Watch out for console logins
that ususlly use the default cache name.
I will tell you what I am trying to achieve, perhaps you can give me
advice.

I "kinit -f" on the client box at home and then ssh to the server box
at work. On the server box, I have screen(1) running, which I
reattach after login and detach before logout. It runs for weeks and
even months on end.

You know that all screen "sessions" or "windows" inherit the
environment variables from the shell where screen was started
initially. So, $KRB5CCNAME in the screen "sessions" points to stale
credential caches, even though the fresh credentials have been
correctly forwarded from the client machine and are available in some
new place (but there is no way to inform the applications within
screen about this new place).

I would like to achieve that if my credentials have been forwarded to
the server box, they should be refreshed in all the screen windows.
Post by Douglas E. Engert
Post by Victor Sudakov
The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
I am running OpenSSH 3.8.1 on FreeBSD 5.x
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
Douglas E. Engert
2006-01-30 15:20:21 UTC
Permalink
Post by Douglas E. Engert
Post by Victor Sudakov
I have "GSSAPIAuthentication yes" in sshd_config on the server machine
and in ssh_config on the client machine.
Each time I ssh into the server machine, the value of KRB5CCNAME
(probably set by sshd) is different. Is there a way to keep it
the same every time I login?
Not really. Most people want session bassed credential cashes,
so that multiple sessions on the same machine do not interfere with
each other. SSH will delete the session cache at the end of a session
if it created it.
But then again you might want be able to refressh credentials,
in your other sessions. This could be done manually by replacing
the UID based common cache and unsetting the KRB5CCNAME set by sshd.
But don't destory the shared cache. Watch out for console logins
that ususlly use the default cache name.
I will tell you what I am trying to achieve, perhaps you can give me
advice.
I "kinit -f" on the client box at home and then ssh to the server box
at work. On the server box, I have screen(1) running, which I
reattach after login and detach before logout. It runs for weeks and
even months on end.
You know that all screen "sessions" or "windows" inherit the
environment variables from the shell where screen was started
initially. So, $KRB5CCNAME in the screen "sessions" points to stale
credential caches, even though the fresh credentials have been
correctly forwarded from the client machine and are available in some
new place (but there is no way to inform the applications within
screen about this new place).
I would like to achieve that if my credentials have been forwarded to
the server box, they should be refreshed in all the screen windows.
As Donn and Russ have made some good comments. AS you might realize by now
that this is not an easy problem to solve, as there are outstanding issues.

The point being that the krb libs will look for KRB5CCNAME if present
and if not use the default name of krb5cc_<uid> Since all your processes are
running under the same uid, you can manipulate all of your file caches from
any of your processes.

But the above may only work for file based credentials. If you are using AFS
or NFSv4 there are other issues, as the sessions may be in separate
Process Authentication Groups. Some process in the PAG may have to
use the new credentials to refresh the credentials in the kernel (AFS token)
for example. So each session may need a process that notices the ticket
cache has been updated, then gets the new AFS token. I believe Standford
has a program to do this for AFS.

If one of you sessions uses ssh to connect to a third system,
you may want to forward credentials to that system as well.
Post by Douglas E. Engert
Post by Victor Sudakov
The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
I am running OpenSSH 3.8.1 on FreeBSD 5.x
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Russ Allbery
2006-01-29 04:48:31 UTC
Permalink
This post might be inappropriate. Click to display it.
Loading...