Does anyone see a need for a patch that allows Kerberos password
authentication with the correct local options? I'm simply trying to get a
feel for if it's worth my time to investigate it further.

The issue is that we also use a patch that does Kerberos ticket passing
and our ticket lifetime is slightly higher than the default 10 hours.
Users experience different behavior when they login with a ticket
or if they acquire a new ticket while logging in with a password.

A quick investigation leads me to krb5_get_init_creds_password() in
auth-krb5.c not passing along the 'default_lifetime' option that can be
set in /etc/krb5.conf.



Mike Dopheide
System Engineer Phone: 217.244.0299
NCSA, University of Illinois Fax: 217.244.1987

openssh-unix-dev mailing list