[libvirt] Bug 736983 SSH GSSAPI login broken
Matthias Witte
witte at netzquadrat.de
Mon Sep 12 15:02:08 UTC 2011
Hallo,
> > Adding KRB5CCNAME to the ssh command's environment solved the problem.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=736983
> >
> > I would like to propose the following patch:
> >
> > Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c
> > ===================================================================
> > --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200
> > +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200
> > @@ -615,6 +615,7 @@
> >
> > cmd = virCommandNew(binary ? binary : "ssh");
> > virCommandAddEnvPassCommon(cmd);
> > + virCommandAddEnvPass(cmd, "KRB5CCNAME");
> > virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
> > virCommandAddEnvPass(cmd, "SSH_ASKPASS");
> > virCommandAddEnvPass(cmd, "DISPLAY");
>
> We should also pass through KRB5_KTNAME I believe
There might be legitimate applications that I am completely unaware of.
But with regard to gssapi authentication und usage of ssh as client
application by libvirt I think this is not necessary.
To obtain my credentials I would use an application like heimdal-kcm or
k5start or kinit per cronjob. These would need access to a keytab.
libvirt itself would only need to know about a keytab if there was a
internal mechanism in libvirt to obtain and renew credentials for its
own principal.
Kind regards!
--
Matthias Witte - witte at netzquadrat.de
Telefon: +49 (0)211-30 20 33-18
Telefax: +49 (0)211-30 20 33-22
[netzquadrat] GmbH - Gladbacher Str. 74 - 40219 Düsseldorf
HRB Düsseldorf 36121 - Geschäftsführer: Thilo Salmon, Tim Mois
Steuernummer: 106/5719/1836, Umsatzsteuer-ID: DE246863050
More information about the libvir-list
mailing list