0

Currently we are using a very bad access model to our servers. Every person logs in via ssh to the same unix user. We have several keytabs which are used by everyone and normally the same keytab is used. However sometimes someone needs to use one of the other keytabs. But the kinit overwrites the ticket cache to the new principal. Therefore I would like to know if it is possible to make a kinit that is only valid in the current session and does not affect the other sessions of the same unix user?

Thanks for your help!

Simon
  • 21

2 Answers2

3

Every person logs in via ssh to the same unix user.

You probably should resolve that. (shared accounts makes individuals unaccountable.)


Kerberos credential are cached in /tmp by default, but I don't know off-hand if that path is hard-coded or derived from the $TMPDIR environment.

So anything that creates a private TMPDIR per session (and cleans that up after termination of the session) ought to work for you.

I think you might be able to handle that though PAM:

  • libpam-tmpdir is one approach, that sets a per-session $TMP & $TMPDIR but that won't work on a applications that don't honour the environment and directly go to /tmp/.

  • or the pam_namespace PAM module that sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Thank you very much, i will test your solutions. However, I am not able to install any packages, so let's hope they are already installed. (I also hate the login policy, but there is no way I can change that) – Simon Aug 07 '16 at 12:36
3

Yes, this is a bad model and should be changed. Not only are you having everyone use the same user, but it sounds like you're using keytabs like unprotected ssh private keys. For the latter issue please look at man .k5login for gssapi ssh.

Until then you can throw something like this in a bash profile:
export KRB5CCNAME=FILE:/tmp/krb5cc_$(id -u)_$(base64 /dev/urandom | head -c 10)

That should give every session it's own krb5 credential cache.

84104
  • 12,698
  • 6
  • 43
  • 75