Kerberos 5
Tillman Hodgson
tillman at seekingfire.com
Thu May 5 07:50:00 PDT 2005
On Wed, May 04, 2005 at 02:33:30PM -0700, Damian Sobieralski wrote:
>
> I have a fairly weird question for the group. I recently set up a
> FreeBSD 5.3 box to use pam_krb5 for sshd authentication. It worked
> great. I created a local workstation user via adduser and when it came
> time for the password based question, I selected no. So when I logged
> in, I typed "klist" and got some verbage back about my ticket in /tmp.
>
> I rebuilt the box and although I can log into the box, when I type
> klist now I get:
>
> klist: No ticket file: /tmp/krb5cc_0
>
> Or some variation of the ticket file name. It authenticates me okay
> via kerneros or I couldn't get logged in, but any idea why this might
> happen?
How did you confirm that you were authenticating via Kerberos?
Do you have an environment variable like KRB5CCNAME set anywhere?
Which Kerberos are you talking about? The limited Heimdal in the base
OS, the full Heimdal port or the MIT port? Do you have more than one in
use and are perhaps running into path issues (running a different
program than you think you're running)?
> BTW- I read online that storing tickets like this (in /tmp) is
> potentially a security risk for a server so the thought was to change
> it to home directory tickets like the website recommends.
It depends. In my environment, /home is NFS mounted. This is a Very Bad
Thing for Kerberos tickets. In my case, each computer is basically a
single-user workstation and /tmp actually is safer than /home.
-T
--
"Beauty is not diminished by being shared."
-- Robert Heinlein
More information about the freebsd-questions
mailing list