openssh & kerberos difficulties

MG grundman at mip.ups-tlse.fr
Sat Dec 10 06:48:44 EST 2005


1/
When I access with GSSAPIAuthentication & GSSAPIDelegateCredentials the option
KerberosGetAFSToken does not work. The tickets are transfered correctly because
the AFS tokens are obtained if the command afslog is inserted in /etc/ssh/sshrc
file.

2/
When multiple realms are defined in /etc/krb5.conf sshd uses only the first
default realm for kerberos password authentication. However gssapi access works
with multiple default realms, at least for HEIMDAL. It should be fine if sshd
uses all default realms or all realms defined in /etc/krb5.conf.

For HEIMDAL I replaced the line

"problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache,
password, 1, NULL);"

by a line

"problem = krb5_verify_user_lrealm(authctxt->krb5_ctx, authctxt->krb5_user,
ccache, password, 1, NULL);"

in the file auth-krb5.c and the Kerberos password authentication takes into
account all locally defined realms in /etc/krb5.conf file. I did not try to
modify the file for mit-krb5 kerberos distribution.

I use heimdal-0.6.5, openssh-4.2_p1 and openafs-1.2.10-r1 from gentoo.
I submitted these bugs as https://bugs.gentoo.org/show_bug.cgi?id=115001
and https://bugs.gentoo.org/show_bug.cgi?id=115003 to gentoo.

MG




More information about the openssh-unix-dev mailing list