[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs




> 1. Ran a k5destory and a k5list to confirm that I did not have a ticket
>
> 2. Ran '/usr/local/bin/ssh -2 -p 8022 localhost' ... oddly, I got a
>    password prompt that only took my system (rather than Kerberos)
>    password
>
> 3. Ran k5list to see if I had a ticket created - I didn't

This list probably isn't the appropriate place to get into an in depth
discussion, but I just felt I should correct a really common
misunderstanding:

The GSSAPI patches _only_ deal with authentication via already gained
tickets, and forwarding tickets to the remote machine.

Authentication via password is handled by the stock OpenSSH code. We use
PAM to handle password checking against the KDC, but there is code in
OpenSSH that can also do this. I'd suggest asking on one of the openssh
lists for more details.

Cheers,

Simon.