Bug 1658642

Summary: Store user runtime files in /run/user/ rather than in /tmp/
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Jelen <jjelen>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 8.0CC: misterbonnie, riehecky
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-18 17:07:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682500    
Bug Blocks: 1654830    

Description Jakub Jelen 2018-12-12 15:25:31 UTC 
Based on the discussion in the bug #1654830, we should make OpenSSH using the /run/user directory for the things that belong there, namely:

 * The location of file with information about authentication
 * The default location of the ssh-agent socket (in Gnome, gnome-keyring is already taking the socket here)
 * The default location of the forwarded kerberos credential cache
 * The location of the forwarded ssh-agent socket

The issue with using /tmp is mostly when the tmpfs is full, which can produce unexpected behavior (failing agent forwarding, kerberos authentication ...)

The upstream acceptance is questionable (it is systemd), but with proper configure checks, it should be possible to implement it in a clean and portable way.

I assume OpenSSH should claim the /run/user/EUID/openssh/ directory, where the separate temporary files should be placed.
Comment 1 Jakub Jelen 2019-01-04 16:25:06 UTC 
I submitted the upstream bug with a patch. Expanded commits are available here:

https://github.com/openssh/openssh-portable/compare/master...Jakuje:run-user

I would be happy for feedback or testing.
Comment 2 Pat Riehecky 2019-01-04 17:12:36 UTC 
Would this also capture the GSSAPI/Kerberos ticket forwarding or does that happen down in the krb5 libs (/tmp/krb5cc_1000_15475)?
Comment 3 Jakub Jelen 2019-01-07 09:20:24 UTC 
Yes, this captures also the kerberos tickets, as mentioned in the bug description:

  https://github.com/openssh/openssh-portable/compare/master...Jakuje:run-user#diff-17b3a83e02209e8b555ed4893c1abe25R252

We already carry in the RHEL patches to be able to configure the location of the kerberos tickets in krb5.conf, but if this file does not provide any guidance, the OpenSSH falls back to the default (with this patch, it would be /run/user/...).