[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: openssh 4.0p1 + heimdal 0.6.3 + GSSAPIDelegateCredentials =wrong ticket address?
On Thu, 31 Mar 2005, Brandon S. Allbery KF8NH wrote:
> I'm having a bit of an odd problem with OpenSSH 4.0p1 and Heimdal 0.6.3,
> involving GSSAPI authentication and delegation (ticket forwarding). The
> forwarded tickets have the originating system's address, not that of the
> receiving system. See attached typescript ("klist -T -v"s before and
> during an ssh session).
> I can't see anything in the OpenSSH code that would cause this, as it
> simply hands everything off to the GSSAPI library. And I can't imagine
> that this is intended behavior; isn't the point of ticket forwarding
> that the forwarded tickets have the correct machine address? Is there
> some configure (openssh or heimdal) option or krb5.conf stanza I should
> be using to make this work correctly (hopefully not addressless tickets,
> although I suppose if that's really needed...).
you should have a look at the kdc's log files during an GSSAPI
authentication. Forwarded tickets should have a 'forwarded' flag set,
your tickets don't have it...
I actually do not understand what happens there. The output of 'ssh -vvv'
would possibly help.
P.S.: it's not a general problem as exactly this combination works at our
| Andreas Haupt | E-Mail: email@example.com
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216