Re: [libvirt] Bug 736983 SSH GSSAPI login broken
Hallo,
> Adding KRB5CCNAME to the ssh command's environment solved
the problem.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=736983
>
> I would like to propose the following patch:
>
> Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c
> ===================================================================
> --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08
19:37:31.000000000 +0200
> +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200
> @@ -615,6 +615,7 @@
>
> cmd = virCommandNew(binary ? binary : "ssh");
> virCommandAddEnvPassCommon(cmd);
> + virCommandAddEnvPass(cmd, "KRB5CCNAME");
> virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
> virCommandAddEnvPass(cmd, "SSH_ASKPASS");
> virCommandAddEnvPass(cmd, "DISPLAY");
We should also pass through KRB5_KTNAME I believe
There might be legitimate applications that I am completely unaware of.
But with regard to gssapi authentication und usage of ssh as client
application by libvirt I think this is not necessary.
To obtain my credentials I would use an application like heimdal-kcm or
k5start or kinit per cronjob. These would need access to a keytab.
libvirt itself would only need to know about a keytab if there was a
internal mechanism in libvirt to obtain and renew credentials for its
own principal.
Kind regards!
--
Matthias Witte - witte(a)netzquadrat.de
Telefon: +49 (0)211-30 20 33-18
Telefax: +49 (0)211-30 20 33-22
[netzquadrat] GmbH - Gladbacher Str. 74 - 40219 Düsseldorf
HRB Düsseldorf 36121 - Geschäftsführer: Thilo Salmon, Tim Mois
Steuernummer: 106/5719/1836, Umsatzsteuer-ID: DE246863050