-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KCM: Support for per-session credential cache, similar to KEYRING:session: #5334
Comments
I always woundered why openSSH needs to auth in such an odd order, makes life much harder others. |
Probably because openssh was not built around PAM as the other modern linux software. But simply changing OpenSSH to do the credential forwarding later is not going to address the original issue as it is a "chicken-egg" problem -- the session part of of the pam stack sets up the kernel keyring session and following modules already expect the forwarded credential being present. Unless ssh would inject its own pam module between these two (and manage to pass the forwarded credentials to it). |
I see, something needs to be done at the ssh side then before ssh ticket problems can be resolved. One this I have noted is that sssd renewal does not seem to work even for login tickets. |
IIUC, #5450 should address this. |
This test was without KCM, just FILE: protocol. Should not that work for simple cases like this? |
I left the session alone over night and now a got a refresh(I think) It seems like sssd does not respect the renew settings, but is using some automatic refresh algo. |
We need to figure out if this is still relevant taking into account RHBZ 1843240 is closed. |
Update: We don't have any drivers or enough justification to spend efforts in this specific use case right now. |
This feature request comes from the red hat bugzilla [1].
The SSH login using GSSAPI authentication with credential forwarding (
GSSAPIAuthentication yes
andGSSAPIDelegateCredentials yes
) or kerberos authentication (KerberosAuthentication yes
) create a credential cache, that makes sense in a particular session.Originally, it used to be only
FILE:
type under tmp, which just works, but does not look very good from security point of view. Now, we support any other types (after #876 also KCM:), but these come fromkrb5.conf
'sdefault_ccache_name
, which is generally per user credential cache, which is not a good fit for remote logins, especially if different principals are logging into the same linux account.Similar feature exists in KERING:session but it is not usable for ssh at this moment because we need to store the credential before the actual user keyring session is opened during the pam session execution, but this is a different problem we will have to look into.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1843240
The text was updated successfully, but these errors were encountered: