problem with AFS token forwarding
John Hawkinson
jhawk at MIT.EDU
Wed Nov 21 02:27:34 EST 2001
Holger Trapp <holger.trapp at hrz.tu-chemnitz.de> wrote on Tue, 20 Nov 2001
at 08:19:08 +0100 in <Pine.LNX.4.33.0111200620210.4649-100000 at bergson.bibliothek.tu-chemnitz.de>:
> I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
> concerning the AFS token forwarding. That means that the new versions are
> not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
> releases (including 2.9p2) and with the old SSH 1.2.2x.
This has always been the case with openssh...
Serge Droz <serge.droz at psi.ch> wrote on Tue, 20 Nov 2001
at 08:31:43 +0100 in <3BFA06DF.9A4AD658 at psi.ch>:
> The attached patch solves this problem.
It seems to be malformed, in that this seems to contain the entire file:
> diff -Nur openssh-3.0.1p1.orig/auth1.c.orig openssh-3.0.1p1/auth1.c.orig
> --- openssh-3.0.1p1.orig/auth1.c.orig Thu Jan 1 01:00:00 1970
> +++ openssh-3.0.1p1/auth1.c.orig Tue Nov 13 13:46:19 2001
> @@ -0,0 +1,429 @@
I guess that's just superflous though...
> It addes the option AFSPassTokenBeforeAuth to the sshd_config and
> ssh_config files which reintroduced the old behaviour when set to
> yes (It's off by default).
I have similar patches for Kerberos TGT passing, but I'm not quite ready
to share the publically at this moment; I think that from a compatibility
perspective, though, an option is not really the right way to do this.
In my implementation, the server will accept the ticket fowarding in
either order, and the client will send the TGT first only if talking to
an 1.2.x server. This seems to be the best upgrade path one can have,
without requiring users to alter configuration values.
--jhawk
More information about the openssh-unix-dev
mailing list