[arch-general] [arch-dev-public] [signoff] krb5
Ray Kohler
ataraxia937 at gmail.com
Sat May 7 17:15:47 EDT 2011
On Sat, May 7, 2011 at 11:14 AM, Stéphane Gaudreault
<stephane at archlinux.org> wrote:
> * Replace heimdal by the MIT Kerberos implementation, krb5
> * Rebuilded [core] packages :
> - librpcsecgss
> - libtirpc
> - nfs-utils
> - openssh
>
> Please signoff both.
> Thanks
>
> Stéphane
I see a regression versus heimdal here. Do this:
1. Set up krb5.conf to enable proxiable and forwardable tickets
2. Set up ~/.ssh/config to enable "GSSAPIAuthentication" and
"GSSAPIDelegateCredentials"
3. Use "kinit" from this krb5 package to get a new TGT
4. Use the ssh client from this openssh rebuild to connect to a server
that support GSSAPI auth
On some, but not all, ssh server implementations, GSSAPI auth will
fail, and it will fall back to password auth. The server will log
this:
sshd[3822]: Forcing password authentication because no credentials delegated
When using the heimdal-based builds, GSSAPI auth would work in all cases.
It's entirely likely that only very old ssh servers show this problem,
as that's what I'm seeing so far. Possibly there is some confusion
with the new "Okay as delegate" ticket flag, which heimdal didn't
support at all, and MIT krb5 only supports enough to parse and report,
but has no support for setting.
I don't consider this important enough to block the release of these
packages, but I wanted to mention it in case someone else cares more
than me.
More information about the arch-general
mailing list