Restricting Kerberos Credential Cache to session

Question

Currently we are using a very bad access model to our servers. Every person logs in via ssh to the same unix user. We have several keytabs which are used by everyone and normally the same keytab is used. However sometimes someone needs to use one of the other keytabs. But the kinit overwrites the ticket cache to the new principal. Therefore I would like to know if it is possible to make a kinit that is only valid in the current session and does not affect the other sessions of the same unix user?

Thanks for your help!

Answer 1

Every person logs in via ssh to the same unix user.

You probably should resolve that. (shared accounts makes individuals unaccountable.)

---

Kerberos credential are cached in /tmp by default, but I don't know off-hand if that path is hard-coded or derived from the $TMPDIR environment.

So anything that creates a private TMPDIR per session (and cleans that up after termination of the session) ought to work for you.

I think you might be able to handle that though PAM:

• libpam-tmpdir is one approach, that sets a per-session $TMP & $TMPDIR but that won't work on a applications that don't honour the environment and directly go to /tmp/.

• or the pam_namespace PAM module that sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both.

Answer 2

Yes, this is a bad model and should be changed. Not only are you having everyone use the same user, but it sounds like you're using keytabs like unprotected ssh private keys. For the latter issue please look at man .k5login for gssapi ssh.

Until then you can throw something like this in a bash profile:
export KRB5CCNAME=FILE:/tmp/krb5cc_$(id -u)_$(base64 /dev/urandom | head -c 10)

That should give every session it's own krb5 credential cache.