ssh: allow ssh to write to the kerberos CC when it picks up a ticket

2025-09-12 12:25:55 -06:00 · 2025-09-12 12:25:55 -06:00 · 53501d8bf4
commit 53501d8bf4
parent c67773947e
1 changed files with 2 additions and 0 deletions
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -44,6 +44,8 @@ profile ssh @{exec_path} {
  owner @{user_projects_dirs}/**/ssh/{,*} r,
  owner @{user_projects_dirs}/**/config r,

+  owner @{tmp}/krb5cc_* rwk,
+
  audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,

  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},