New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use per GSSAPIClientIdentity kerberos credential cache #24
Comments
Meanwhile I've seen that there's: Maybe these do more or less what I'm looking for (and should be merged into the GSSAPI patch?). |
I intentionally left out that patch from this repository, as this repository is limited to the gssapi key exchange implementation. What you are asking is implemented as separate patch as asked by some of our users and you are free to use it. Should work in Fedora (and if not, feel free to open bugs there). I can not comment for upstream nor other distributions if they are interested in supporting this. |
Okay I see, but since OpenSSH upstream is probably not going to merge any of these GSSAPI patch soon, woulnd't it make sense if all distros share some common upstream repo for those patches? |
Indeed, it would be better, but each and every distribution has different aims and what might make sense for one is completely unrelated for other and what might be a useful feature might be considered maintenance burden. |
In Ubuntu we are evaluating[1] the inclusion of the new-unique patch. We have daily builds applying that patch on top of our packaging, and also added autopkgtests[2] that exercise the "gssapi-new-unique" functionality. For now, during this period, the patched builds are in a separate package and we use update-alternatives to avoid a conflict between patched and unpatched sshd. |
I anyway just meant this for a the "base patches", i.e. only based on upstream's git with no further distro specific modifications.
I've asked a few days ago whether Debian could add it. |
Hey.
It would be nice if the patch would provide some way to let it use a (private) kerberos credential cache.
My usage scenario is about the following:
The patch is already so smart, so that it automatically requests a ticket using the keytab file when I connect to a host, for which GSSAPI authentication is configured.
So I can log in fully automated (without any need to enter a passphrase, if my keytab file contains it) and get a ticket (including for AFS).
That ticket is however stored in the "main" ticket cache (i.e. the one I'd also see by a plain
klist
).If a ticket exists already, say for realm A, no new ticket would be created when I try to login to a host using realm B.
Therefore, login (via GSSAPI) would fail to nodes that don't use realm A.
Not sure what would be the best solution to handle this.
GSSAPIClientIdentity
value?Thanks,
Chris.
The text was updated successfully, but these errors were encountered: