Hallo,
Adding KRB5CCNAME to the ssh command's environment solved the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=736983
I would like to propose the following patch:
Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c =================================================================== --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200 +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200 @@ -615,6 +615,7 @@
cmd = virCommandNew(binary ? binary : "ssh"); virCommandAddEnvPassCommon(cmd); + virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY");
We should also pass through KRB5_KTNAME I believe
There might be legitimate applications that I am completely unaware of. But with regard to gssapi authentication und usage of ssh as client application by libvirt I think this is not necessary. To obtain my credentials I would use an application like heimdal-kcm or k5start or kinit per cronjob. These would need access to a keytab. libvirt itself would only need to know about a keytab if there was a internal mechanism in libvirt to obtain and renew credentials for its own principal. Kind regards! -- Matthias Witte - witte@netzquadrat.de Telefon: +49 (0)211-30 20 33-18 Telefax: +49 (0)211-30 20 33-22 [netzquadrat] GmbH - Gladbacher Str. 74 - 40219 Düsseldorf HRB Düsseldorf 36121 - Geschäftsführer: Thilo Salmon, Tim Mois Steuernummer: 106/5719/1836, Umsatzsteuer-ID: DE246863050