Krb5 options patch

Douglas E. Engert deengert at anl.gov
Fri Feb 25 02:02:25 EST 2005



Mike Dopheide wrote:
> Does anyone see a need for a patch that allows Kerberos password 
> authentication with the correct local options?  I'm simply trying to get a 
> feel for if it's worth my time to investigate it further.
> 
> The issue is that we also use a patch that does Kerberos ticket passing 
> and our ticket lifetime is slightly higher than the default 10 hours.  
> Users experience different behavior when they login with a ticket 
> or if they acquire a new ticket while logging in with a password.
> 
> A quick investigation leads me to krb5_get_init_creds_password() in 
> auth-krb5.c not passing along the 'default_lifetime' option that can be 
> set in /etc/krb5.conf.


The problem may have been MIT Kerberos versions prior to 1.4 not
processing the lifetime option in the krb5.conf file. It looks like
they added "ticket_lifetime" in 1.4.

A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9
with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an
8 hour ticket.

> 
> Thoughts?
> 
> -Mike
> 
> 
> ---------------------------------------------------
> Mike Dopheide                dopheide at ncsa.uiuc.edu
> System Engineer                Phone:  217.244.0299
> NCSA, University of Illinois     Fax:  217.244.1987
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




More information about the openssh-unix-dev mailing list