OpenSSH v3.8p1 fails to interoperate for GSSAPI (Kerberos) and X-Windows
Jim Carter
jimc at math.ucla.edu
Fri May 28 05:51:03 EST 2004
Thank you all for your replies. Please accept my apology for a somewhat
intemperate tone, but also please consider where I was coming from: I
had figured out that our Kerberos deployment was going to be derailed
because of the 3.5[SuSE] <-> 3.8 lack of interoperability, and then I
turned to the X-Windows issue: seemingly random error messages that
suggested corruption in the encrypted channel. I had no idea that it
was deliberate and documented!
Darren Tucker <dtucker at zip.com.au> wrote:
> Simon Wilkinson published a patch to enable backwards compatibility with
> "gssapi" authentication.
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763
Thank you! This will be very helpful. I must have used keywords (like
gssapi-with-mic) in my Google search that missed it. I have a software
audit script that can deal with locally patched software, rather than
having to slavishly use whatever the distro gives us. (A big advantage
of using a distro is that most of the time you can automate patches, but
there *is* a downside...) When all of our systems have been upgraded
and when we're sure that off-site users aren't going to get cut off --
probably we won't have too many that we'll have to bully into upgrading
-- we can decommit gssapi-without-mic.
> That's only the "-Y" command-line option (which is a substitute for
> "-X"), ForwardX11Trusted does not imply ForwardX11 (at least in the
> current version, I didn't check older ones).
OK, that's reasonable. For the record, I confirm that if you set
ForwardX11Trusted=true and ForwardX11=false in ssh_config, then plain
"ssh" does not forward X11, but "ssh -X" does forward it, and it is
trusted (the offending apps will run). (With either setting, ssh -Y
works as expected.) This is how we've set up our ssh_config for the
machines with openssh v3.8p1, following the Debian guy's suggestion.
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc at math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
More information about the openssh-unix-dev
mailing list