Mike Dopheide wrote:> Does anyone see a need for a patch that allows Kerberos password
> authentication with the correct local options? I'm simply trying to
get a
> feel for if it's worth my time to investigate it further.
>
> The issue is that we also use a patch that does Kerberos ticket passing
> and our ticket lifetime is slightly higher than the default 10 hours.
> Users experience different behavior when they login with a ticket
> or if they acquire a new ticket while logging in with a password.
>
> A quick investigation leads me to krb5_get_init_creds_password() in
> auth-krb5.c not passing along the 'default_lifetime' option that
can be
> set in /etc/krb5.conf.
The problem may have been MIT Kerberos versions prior to 1.4 not
processing the lifetime option in the krb5.conf file. It looks like
they added "ticket_lifetime" in 1.4.
A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9
with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an
8 hour ticket.
>
> Thoughts?
>
> -Mike
>
>
> ---------------------------------------------------
> Mike Dopheide dopheide at ncsa.uiuc.edu
> System Engineer Phone: 217.244.0299
> NCSA, University of Illinois Fax: 217.244.1987
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444