I'm trying to figure how kerberos works. In /tmp/ I have bunch of Kerberos files like krb5cc_<user-id>. What are they exactly? Looking into them I find out that they are just some encrypted strings. If one would want to use them inside a docker file, how would I could access them? As the docker environment isolated, I can't access /tmp. So how can I get those kerberos tickets?
Add a comment |
2 Answers
What you've found are Kerberos credentials caches ("ccaches"). These retain Kerberos credentials while they are valid, and while the user session lasts. This aids in efforts to minimally contact the Key Distribution Center (KDC).
There is a healthy deal of knowledge that is available to help eludidate Kerberos and more specifically, the purpose and function of these files.
A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.
When you kinit and klist you show the contents of your user's cache, which will also make clear to you where klist is pulling that cache from (which might also help make clear why something like that is in /tmp):
[kkahn@host ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1987 Default principal: [email protected] Valid starting Expires Service principal 02/22/21 15:34:12 02/23/21 15:34:09 krbtgt/[email protected] When you kdestroy you are simply writing zeros to the credentials cache for your user. man kdestroy should make this clear:
DESCRIPTION The kdestroy utility destroys the user's active Kerberos authorization tickets by writing zeros to the specified credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. If kdestroy was built with Kerberos 4 support, the default behavior is to destroy both Kerberos 5 and Kerberos 4 credentials. Otherwise, kdestroy will default to destroying only Kerberos 5 credentials. 
- Got it! But how do I add this whole system into a Docker environment? If I want the users using my application running in a docker to obtain a kerberos ticket and do stuff, how do I do it?vesii– vesii2021-02-22 20:54:47 +00:00Commented Feb 22, 2021 at 20:54
If one would want to use them inside a docker file, how would I could access them?
If you want to use a pre-existing credentials cache on the host from inside a container, you can mount it into the container, and set the KRB5CCNAME environment variable to specify the path where you mounted it:
docker run -v /tmp/krb5cc_$UID:/tmp/krb5cc -e KRB5CCNAME=/tmp/krb5cc ... 