From: | Toby Blake <toby@inf.ed.ac.uk> |
Subject: | ksu sets KRB5CCNAME to MEMORY:_ksu when using switchable default cache |
Date: | Tue, 18 Dec 2018 16:18:27 +0000 |
To: | <krb5-bugs@mit.edu> |
Hi,
When the default cache is a switchable one, e.g. KEYRING, as set by...
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
... using ksu will result in KRB5CCNAME being set to MEMORY:_ksu and
having no credentials:
[bolt]toby: ksu . -n toby/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for toby/root@INF.ED.AC.UK: :
Leaving uid as toby (xxxxx)
[bolt]toby: klist
klist: No credentials cache found
[bolt]toby: echo $KRB5CCNAME
MEMORY:_ksu
[bolt]toby:
This seems to happen in src/clients/ksu/main.c:resolve_target_cache...
The check to determine if the cache type is switchable resolves to true
and the subsequent call to krb5_cc_resolve_cache_match seems to match
on the 'MEMORY:_ksu' cache as used internally by ksu, hence this cache is
returned.
Note this is running the os-shipped 1.15.1 on Scientific Linux 7.5. It
doesn't appear that the relevant code has subsequently changed (in 1.16.2)
but I can't easily test the behaviour.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
When the default cache is a switchable one, e.g. KEYRING, as set by...
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
... using ksu will result in KRB5CCNAME being set to MEMORY:_ksu and
having no credentials:
[bolt]toby: ksu . -n toby/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for toby/root@INF.ED.AC.UK: :
Leaving uid as toby (xxxxx)
[bolt]toby: klist
klist: No credentials cache found
[bolt]toby: echo $KRB5CCNAME
MEMORY:_ksu
[bolt]toby:
This seems to happen in src/clients/ksu/main.c:resolve_target_cache...
The check to determine if the cache type is switchable resolves to true
and the subsequent call to krb5_cc_resolve_cache_match seems to match
on the 'MEMORY:_ksu' cache as used internally by ksu, hence this cache is
returned.
Note this is running the os-shipped 1.15.1 on Scientific Linux 7.5. It
doesn't appear that the relevant code has subsequently changed (in 1.16.2)
but I can't easily test the behaviour.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.