Re: openssh 4.0p1 + heimdal 0.6.3 + GSSAPIDelegateCredentials =wrong ticket address?

[Andreas Haupt <ahaupt@ifh.de>]

Hello,

On Thu, 31 Mar 2005, Brandon S. Allbery KF8NH wrote:

> I'm having a bit of an odd problem with OpenSSH 4.0p1 and Heimdal 0.6.3,
> involving GSSAPI authentication and delegation (ticket forwarding).  The
> forwarded tickets have the originating system's address, not that of the
> receiving system.  See attached typescript ("klist -T -v"s before and
> during an ssh session).
>
> I can't see anything in the OpenSSH code that would cause this, as it
> simply hands everything off to the GSSAPI library.  And I can't imagine
> that this is intended behavior; isn't the point of ticket forwarding
> that the forwarded tickets have the correct machine address?  Is there
> some configure (openssh or heimdal) option or krb5.conf stanza I should
> be using to make this work correctly (hopefully not addressless tickets,
> although I suppose if that's really needed...).

you should have a look at the kdc's log files during an GSSAPI 
authentication. Forwarded tickets should have a 'forwarded' flag set, 
your tickets don't have it...

I actually do not understand what happens there. The output of 'ssh -vvv' 
would possibly help.

Greetings
Andreas

P.S.: it's not a general problem as exactly this combination works at our
       site.

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216