I am running on CentOS 7.3.
How may I prevent losing my Kerberos TGT in the scenario below?
I understand the security implications of not destroying Kerberos tickets upon logout, and I will be digging deeper into this. But I want to start with the simplest possible example, which I present below.
[email protected]$ klist
klist: Credentials cache keyring 'persistent:25536700022:krb_ccache_h3j7qk7' not found
[email protected]$ kinit
Password for [email protected]:
[email protected]$ klist
Ticket cache: KEYRING:persistent:25536700022:krb_ccache_h3j7qk7
Default principal: [email protected]
Valid starting Expires Service principal
08/03/2018 17:06:45 08/04/2018 17:06:41 krbtgt/[email protected]
[email protected]$ ssh -K host
Last login: Fri Aug 3 17:06:21 2018 from 10.250.57.186
[email protected]$ klist
Ticket cache: KEYRING:persistent:25536700022:krb_ccache_h3j7qk7
Default principal: [email protected]
Valid starting Expires Service principal
08/03/2018 17:06:54 08/04/2018 17:06:41 krbtgt/[email protected]
[email protected]$ exit
logout
Connection to host closed.
[email protected]$ klist
klist: Credentials cache keyring 'persistent:25536700022:krb_ccache_h3j7qk7' not found
[email protected]$
UPDATE #1
Updating the SSH server configuration as follows solves the problem as presented:
GSSAPICleanupCredentials no
However, doing this unconditionally is undesirable because it has negative security implications. Leaving unexpired tickets resident on a machine after you've done working on it is dangerous.
More Detail About Our Use Case
We are using SSH to execute commands on remote hosts. The commands executed on the remote hosts may, in turn, use SSH to execute remote commands on yet other hosts. This is all scripted / automated, so we can't allow a prompt for a password to occur. This is why I used ssh -K. The -K flag forwards your Kerberos TGT to the host you're SSHing to, thereby enabling you to SSH on to another host from there without being prompted for a password.
In our particular use case, it sometimes happens that one of the "remote" hosts we're using SSH to execute a command on is the host we're already on. Without the configuration change shown above, after the "remote" command finishes executing and the SSH session exits, the Kerberos ticket is destroyed--on the machine we're currently on! We've then lost our ability to SSH in a passwordless manner to all hosts.
Searching For a Secure Solution to Our Use Case
So as to avoid the security implications of unconditionally not destroying Kerberos tickets upon logout, I'd like to dig deeper.
Is there a way to do either of the following?
- Forward your Kerberos TGT only if it doesn't already reside on the machine you're SSHing to
- Destroy your Kerberos tickets only when exiting your last shell session
Are there other possibilities that I am not considering?
