Mike Dopheide wrote:
> Does anyone see a need for a patch that allows Kerberos password
> authentication with the correct local options? I'm simply trying to get a
> feel for if it's worth my time to investigate it further.
>
> The issue is that we also use a patch that does Kerberos ticket passing
> and our ticket lifetime is slightly higher than the default 10 hours.
> Users experience different behavior when they login with a ticket
> or if they acquire a new ticket while logging in with a password.
>
> A quick investigation leads me to krb5_get_init_creds_password() in
> auth-krb5.c not passing along the 'default_lifetime' option that can be
> set in /etc/krb5.conf.



The problem may have been MIT Kerberos versions prior to 1.4 not
processing the lifetime option in the krb5.conf file. It looks like
they added "ticket_lifetime" in 1.4.

A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9
with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an
8 hour ticket.

>
> Thoughts?
>
> -Mike
>
>
> ---------------------------------------------------
> Mike Dopheide dopheide@ncsa.uiuc.edu
> System Engineer Phone: 217.244.0299
> NCSA, University of Illinois Fax: 217.244.1987
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> http://www.mindrot.org/mailman/listi...enssh-unix-dev
>
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev