Re: Krb5 options patch
Mike Dopheide wrote:[color=blue]
> Does anyone see a need for a patch that allows Kerberos password
> authentication with the correct local options? I'm simply trying to get a
> feel for if it's worth my time to investigate it further.
> The issue is that we also use a patch that does Kerberos ticket passing
> and our ticket lifetime is slightly higher than the default 10 hours.
> Users experience different behavior when they login with a ticket
> or if they acquire a new ticket while logging in with a password.
> A quick investigation leads me to krb5_get_init_creds_password() in
> auth-krb5.c not passing along the 'default_lifetime' option that can be
> set in /etc/krb5.conf.[/color]
The problem may have been MIT Kerberos versions prior to 1.4 not
processing the lifetime option in the krb5.conf file. It looks like
they added "ticket_lifetime" in 1.4.
A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9
with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an
8 hour ticket.
> Mike Dopheide [email]email@example.com[/email]
> System Engineer Phone: 217.244.0299
> NCSA, University of Illinois Fax: 217.244.1987
> openssh-unix-dev mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
openssh-unix-dev mailing list