[krbdev.mit.edu #8766] ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8766] ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache

Greg Hudson via RT-2
Hi,

When the default cache is a switchable one, e.g. KEYRING, as set by...

[libdefaults]
 default_ccache_name = KEYRING:persistent:%{uid}

...  using ksu will result in KRB5CCNAME being set to MEMORY:_ksu and
having no credentials:

[bolt]toby: ksu . -n toby/root
WARNING: Your password may be exposed if you enter it here and are logged
        in remotely using an unsecure (non-encrypted) channel.
Kerberos password for toby/[hidden email]: :
Leaving uid as toby (xxxxx)
[bolt]toby: klist
klist: No credentials cache found
[bolt]toby: echo $KRB5CCNAME
MEMORY:_ksu
[bolt]toby:

This seems to happen in src/clients/ksu/main.c:resolve_target_cache...

The check to determine if the cache type is switchable resolves to true
and the subsequent call to krb5_cc_resolve_cache_match seems to match
on the 'MEMORY:_ksu' cache as used internally by ksu, hence this cache is
returned.

Note this is running the os-shipped 1.15.1 on Scientific Linux 7.5.  It
doesn't appear that the relevant code has subsequently changed (in 1.16.2)
but I can't easily test the behaviour.

Cheers
Toby


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs