On Sat, May 7, 2011 at 11:14 AM, Stéphane Gaudreault <stephane@xxxxxxxxxxxxx> wrote: > * Replace heimdal by the MIT Kerberos implementation, krb5 > * Rebuilded [core] packages : > - librpcsecgss > - libtirpc > - nfs-utils > - openssh > > Please signoff both. > Thanks > > Stéphane I see a regression versus heimdal here. Do this: 1. Set up krb5.conf to enable proxiable and forwardable tickets 2. Set up ~/.ssh/config to enable "GSSAPIAuthentication" and "GSSAPIDelegateCredentials" 3. Use "kinit" from this krb5 package to get a new TGT 4. Use the ssh client from this openssh rebuild to connect to a server that support GSSAPI auth On some, but not all, ssh server implementations, GSSAPI auth will fail, and it will fall back to password auth. The server will log this: sshd[3822]: Forcing password authentication because no credentials delegated When using the heimdal-based builds, GSSAPI auth would work in all cases. It's entirely likely that only very old ssh servers show this problem, as that's what I'm seeing so far. Possibly there is some confusion with the new "Okay as delegate" ticket flag, which heimdal didn't support at all, and MIT krb5 only supports enough to parse and report, but has no support for setting. I don't consider this important enough to block the release of these packages, but I wanted to mention it in case someone else cares more than me.
