Need help with GSSAPI authentication

Sergio Gelato Sergio.Gelato at astro.su.se
Wed May 11 23:49:21 EST 2005


* 'Sergio Gelato' [2005-05-11 14:22:17 +0200]:
> * Simon Gales [2005-05-11 07:01:35 -0500]:
> > After more experimentation last night, I found that:
> > + Putty (with patches) can authenticate but doesn't forward the tickets.
> 
> If you're in a position to apply patches, then maybe you should simply
> patch the call to gss_init_sec_context() to enable credentials delegation.

I'll take that back. Having now looked at the PuTTY patch, I see that the
-f flag already does precisely that. The question, then, is whether the
SSPI implementation is doing the right thing. David said that
an empty credential set was being forwarded. Would be nice to know what's
happening on the wire: the client is supposed to ask the KDC for a new
TGT for the target host, prior to the GSSAPI exchange. (Unless perhaps
addressless TGTs are being used.)




More information about the openssh-unix-dev mailing list