Jan IVEN jan.iven at
Thu Aug 1 01:55:17 EST 2002

>>>>> "MF" == Markus Friedl <markus at> writes:

 MF> please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.
 MF> i'd like to see this in the next release. thx

For what its worth, a similar patch for KRB4+5 is appended to -- and I cannot test
the KRB5 part either (therefore neither Olaf's version). KRB4 seems to

I still have some more patches related to KRB4/AFS/SSH1, and would be most
happy to get rid of them. They deal with:

* mkstemp() on RH7.2 (and above, based on glibc-2.2) being very
  restrictive, breaking KRB4 TGT passing. Moving to the XXXXXX format
  seems to cause trouble because the same ticket file is being
  re-used. The patch adds a check for autoconf to use the bsd_compat

* KRB4-TGT forwarding overwrites credentials (AFS token, KRB4 TGT)
  from a successful password auth. This tends to confuse users.. "-k"
  is a workaround, but was not neccessary pre-3.0. The patch disables
  credential forwarding on the server after password auth succeeded.

* an extended version of the KRB4/5+PRIVSEP patch above that enables
  "early" KRB4/AFS credential forwarding (as done by older/non-OpenSSH
  clients). These credentials now get stored and will be used after
  successful authentication.

Unrelated, but useful:

* make ssh/sshd handle unknown configuration options non-fatally --
  ~/.ssh/config files on AFS tend to be used by multiple versions of
  ssh clients, and barfing because the new version does not like old
  options is unfriendly. For the sshd, the problem is less acute due
  to "-t", but it still prevents us from screwing with other admin's
  config files...

All of them are against 3.4p1, but I would be willing to port them
forward to something more recent if this would get them accepted...


More information about the openssh-unix-dev mailing list