Losing Kerberos Ticket after SSH to Current Host and Exit

0

I am running on CentOS 7.3.

How may I prevent losing my Kerberos TGT in the scenario below?

I understand the security implications of not destroying Kerberos tickets upon logout, and I will be digging deeper into this. But I want to start with the simplest possible example, which I present below.

user@host.example.com$ klist
klist: Credentials cache keyring 'persistent:25536700022:krb_ccache_h3j7qk7' not found

user@host.example.com$ kinit
Password for user@example.com:

user@host.example.com$ klist
Ticket cache: KEYRING:persistent:25536700022:krb_ccache_h3j7qk7
Default principal: user@example.com

Valid starting       Expires              Service principal
08/03/2018 17:06:45  08/04/2018 17:06:41  krbtgt/example.com@example.com

user@host.example.com$ ssh -K host
Last login: Fri Aug  3 17:06:21 2018 from 10.250.57.186

user@host.example.com$ klist
Ticket cache: KEYRING:persistent:25536700022:krb_ccache_h3j7qk7
Default principal: user@example.com

Valid starting       Expires              Service principal
08/03/2018 17:06:54  08/04/2018 17:06:41  krbtgt/example.com@example.com

user@host.example.com$ exit
logout
Connection to host closed.

user@host.example.com$ klist
klist: Credentials cache keyring 'persistent:25536700022:krb_ccache_h3j7qk7' not found

user@host.example.com$

UPDATE #1

Updating the SSH server configuration as follows solves the problem as presented:

GSSAPICleanupCredentials no

However, doing this unconditionally is undesirable because it has negative security implications. Leaving unexpired tickets resident on a machine after you've done working on it is dangerous.

More Detail About Our Use Case
We are using SSH to execute commands on remote hosts. The commands executed on the remote hosts may, in turn, use SSH to execute remote commands on yet other hosts. This is all scripted / automated, so we can't allow a prompt for a password to occur. This is why I used ssh -K. The -K flag forwards your Kerberos TGT to the host you're SSHing to, thereby enabling you to SSH on to another host from there without being prompted for a password.

In our particular use case, it sometimes happens that one of the "remote" hosts we're using SSH to execute a command on is the host we're already on. Without the configuration change shown above, after the "remote" command finishes executing and the SSH session exits, the Kerberos ticket is destroyed--on the machine we're currently on! We've then lost our ability to SSH in a passwordless manner to all hosts.

Searching For a Secure Solution to Our Use Case
So as to avoid the security implications of unconditionally not destroying Kerberos tickets upon logout, I'd like to dig deeper.

Is there a way to do either of the following?

  1. Forward your Kerberos TGT only if it doesn't already reside on the machine you're SSHing to
  2. Destroy your Kerberos tickets only when exiting your last shell session

Are there other possibilities that I am not considering?

Dave

Posted 2018-08-03T22:20:06.347

Reputation: 597

Answers

0

I ended up putting the following in my .bash_profile:

cleanup()
{
   SHELL_COUNT=$(ps -elf | grep bash | grep $(whoami) | grep -v grep | wc -l)

   if [[ "$SHELL_COUNT" -eq 2 ]]; then
      kdestroy -q
   fi
}

trap '
   cleanup
' 0

Dave

Posted 2018-08-03T22:20:06.347

Reputation: 597

Asked: 2018-08-03T22:20:06.347

Viewed: 531 times

Active: 2018-08-08T18:06:24.987