This is something we missed when going over the GSSAPI code this August. The code in ssh_gssapi_krb5_storecreds() in gss-serv-krb5.c doesn't set the KRB5CCNAME environment variable correctly. At present it includes only the cache's "name". But it should actually include both it's "type" and it's "name", separated by a colon ':' -- e.g. "FILE:/tmp/krb5cc_100_Ao7629". (Simon Wilkinson's patches to 3.6.1p2 and previous versions did this correctly.) I'll add a patch to fix the problem. I made the code general enough to work with other cache "types" -- e.g. API or MEMORY.
Created attachment 490 [details] Fix to set KRB5CCNAME correctly in GSSAPI code
Created attachment 491 [details] Another patch to set KRB5CCNAME correctly in GSSAPI code Oops, my first fix wasn't general enough. Here's a better one.
I think this patch is probably over complex. In both the Heimdal and MIT cases we constrain ourselves to FILE: credential caches (the call to the Heimdal variant with &krb5_fcc_ops, and the 'FILE:' prefix to the MIT code). Under Unix, MIT Kerberos defaults to using 'FILE' when no credential cache type is given and Heimdal always defaults to using 'FILE'. For correctness, we should probably prefix the cache with 'FILE'.
Bug cleanup: this appears to be a dupe of #698. *** This bug has been marked as a duplicate of 698 ***
Mass change of RESOLVED bugs to CLOSED