Mike Dopheide wrote:> Does anyone see a need for a patch that allows Kerberos password 
> authentication with the correct local options?  I'm simply trying to
get a
> feel for if it's worth my time to investigate it further.
> 
> The issue is that we also use a patch that does Kerberos ticket passing 
> and our ticket lifetime is slightly higher than the default 10 hours.  
> Users experience different behavior when they login with a ticket 
> or if they acquire a new ticket while logging in with a password.
> 
> A quick investigation leads me to krb5_get_init_creds_password() in 
> auth-krb5.c not passing along the 'default_lifetime' option that
can be
> set in /etc/krb5.conf.
The problem may have been MIT Kerberos versions prior to 1.4 not
processing the lifetime option in the krb5.conf file. It looks like
they added "ticket_lifetime" in 1.4.
A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9
with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an
8 hour ticket.
> 
> Thoughts?
> 
> -Mike
> 
> 
> ---------------------------------------------------
> Mike Dopheide                dopheide at ncsa.uiuc.edu
> System Engineer                Phone:  217.244.0299
> NCSA, University of Illinois     Fax:  217.244.1987
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 
> 
-- 
  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444