OpenSSH v3.8p1 fails to interoperate for GSSAPI (Kerberos) and X-Windows

Jim Carter jimc at math.ucla.edu
Fri May 28 05:51:03 EST 2004


Thank you all for your replies.  Please accept my apology for a somewhat
intemperate tone, but also please consider where I was coming from: I
had figured out that our Kerberos deployment was going to be derailed
because of the 3.5[SuSE] <-> 3.8 lack of interoperability, and then I
turned to the X-Windows issue: seemingly random error messages that
suggested corruption in the encrypted channel.  I had no idea that it
was deliberate and documented!

Darren Tucker <dtucker at zip.com.au> wrote:
> Simon Wilkinson published a patch to enable backwards compatibility with
> "gssapi" authentication.
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763

Thank you!  This will be very helpful.  I must have used keywords (like
gssapi-with-mic) in my Google search that missed it.  I have a software
audit script that can deal with locally patched software, rather than
having to slavishly use whatever the distro gives us.  (A big advantage
of using a distro is that most of the time you can automate patches, but
there *is* a downside...)  When all of our systems have been upgraded
and when we're sure that off-site users aren't going to get cut off --
probably we won't have too many that we'll have to bully into upgrading
-- we can decommit gssapi-without-mic.

> That's only the "-Y" command-line option (which is a substitute for 
> "-X"),  ForwardX11Trusted does not imply ForwardX11 (at least in the 
> current version, I didn't check older ones).

OK, that's reasonable.  For the record, I confirm that if you set
ForwardX11Trusted=true and ForwardX11=false in ssh_config, then plain
"ssh" does not forward X11, but "ssh -X" does forward it, and it is
trusted (the offending apps will run).  (With either setting, ssh -Y
works as expected.)  This is how we've set up our ssh_config for the
machines with openssh v3.8p1, following the Debian guy's suggestion.


James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc at math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)




More information about the openssh-unix-dev mailing list