Wrong Credentials Cache File Name when using GSSAPI Key Exchange via cron

[nevetS]

I received the following error when using Paramiko to upload files via cron, connecting to a server via GSSAPI Key Exchange:

gssapi.error.GSSException: (851968) Unspecified GSS failure.  Minor code may provide more information. Minor code: (2529639107) Credentials cache file '/cache/location/krb5cc_562' not found. Target: target.server.com

I looked in /cache/location/ and found a file ./krb5cc_562_qUEKm10168

After trying to troubleshoot for a bit, I simply created a softlink from /cache/location/krb5cc_562 to /cache/location/krb5cc_562_qUEKm10168 and it worked.

Oddly, this problem only cropped up when running the script via cron. Running it from the command line directly yielded success.

It looks to me like the filename is controlled by the environment variable: KRB5CCNAME

I don't have a solution at this point, but I suspect that the proper process would be to create a credentials cache and set the KRB5CCNAME variable. I will test further and post my results.

If this is an end user responsibility, it would be nice to have it documented in a tutorial.

It would be nice to have this issue resolved by passing a parameter to SSH.. i.e. credentials_cache="/your/file" to make things a bit easier on those using kerberos/GSSAPI.

[bitprophet]

Thanks for the report, I suspect this is purely a quirk/responsibility of/bug in the gssapi lib, though I'm still amenable to adding an FAQ entry in our docs if you can confirm exactly what's going on.

Not surprised this hasn't come up before, GSSAPI support is newish & also not widely used, so that intersected with running in a non-login environment is probably a miniscule target :D