Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication

Related: RHEL-92932
2026-04-14 16:19:58 +02:00 · 2026-04-14 16:19:58 +02:00 · b35a30acc7
commit b35a30acc7
parent 8edc05030d
2 changed files with 40 additions and 5 deletions
--- a/openssh-9.9p1-gssapi-s4u.patch
+++ b/openssh-9.9p1-gssapi-s4u.patch
@ -55,7 +55,7 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c
 
 ssh_gssapi_mech gssapi_null_mech =
     { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
-@@ -486,26 +486,351 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
+@@ -486,26 +486,382 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
 	return (ctx->major);
 }
 
@ -184,12 +184,43 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c
 +	    (unsigned)getuid(), (unsigned)geteuid(), lname);
 +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM
 +	{
+# if defined(KRB5)
+		/*
+		 * Resolve the keytab path: krb5_kt_default_name respects
+		 * KRB5_KTNAME and krb5.conf default_keytab_name.
+		 */
+		char keytab_name[MAXPATHLEN];
+		krb5_context tmp_ctx;
+
+
+		keytab_name[0] = '\0';
+		if (krb5_init_context(&tmp_ctx) == 0) {
+			(void)krb5_kt_default_name(tmp_ctx, keytab_name,
+			    sizeof(keytab_name));
+			krb5_free_context(tmp_ctx);
+		}
+		if (keytab_name[0] == '\0')
+			strlcpy(keytab_name, "FILE:/etc/krb5.keytab",
+			    sizeof(keytab_name));
+		/*
+		 * client_keytab lets GSSAPI do AS-REQ to obtain a TGT for the
+		 * host principal (initiator role needed for S4U2Self).
+		 * keytab covers the acceptor role.
+		 * ccache: MEMORY: keeps the resulting TGT volatile.
+		 */
 +		gss_key_value_element_desc store_elements[] = {
-+			{ "client_keytab", "/etc/krb5.keytab" },
-+			{ "keytab",        "/etc/krb5.keytab" },
-+			{ "ccache",        "MEMORY:"          },
+			{ "client_keytab", keytab_name },
+			{ "keytab", keytab_name },
+			{ "ccache", "MEMORY:" },
 +		};
 +		const gss_key_value_set_desc cred_store = { 3, store_elements };
+# else
+		gss_key_value_element_desc store_elements[] = {
+			{ "ccache", "MEMORY:" },
+		};
+		const gss_key_value_set_desc cred_store = { 1, store_elements };
+# endif
+
 +
 +		major = gss_acquire_cred_from(&minor, host_name, lifetime,
 +		    oidset, GSS_C_BOTH, &cred_store, &host_creds, NULL, NULL);
--- a/openssh.spec
+++ b/openssh.spec
@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 25%{?dist}
+Release: 26%{?dist}
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -740,6 +740,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so

 %changelog
+* Tue Apr 14 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-26
+- Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication
+  Related: RHEL-92932
+
 * Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
 - Fix static analysis issues
  Resolves: RHEL-163365