Your message dated Thu, 17 Mar 2011 20:23:08 -0400 (EDT)
with message-id <[email protected]>
and subject line I believe this was fixed in krb5 1.8.3+dfsg-5
has caused the Debian Bug report #567499,
regarding krb5-user: Problem forwarding TGT via ssh
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
567499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567499
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: krb5-user
Version: 1.8+dfsg~alpha1-5
Severity: normal
This is actually more of a heads-up than an actual bug report, so please feel
free to close as "invalid".
We have recently encountered problems with TGT forwarding via ssh from squeeze
clients to RHEL5 servers. The actual authentication does work so we suspect
that the TGT either gets malformed or misinterpreted somewhere on the way. This
seems to be related to the use of AES-256 encryption as a default instead of
DES in recent versions of kerberos as setting use_weak_crypto to true in
/etc/krb5.conf seems to solve the problem.
For more details please look at the similarly-not-quite-a-bug-report filled
against the sshd of RHEL5.
https://bugzilla.redhat.com/show_bug.cgi?id=559866
Unless this turns out to be a clear-cut SSH client bug in "testing" (that would
get fixed on the next update), the implications might be pretty bad for actual
production users. Perhaps it is worthwhile to get this debugged and impact
understood while the new configuration is still in testing.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages krb5-user depends on:
ii krb5-config 2.2 Configuration files for Kerberos V
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libgssrpc4 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - G
ii libk5crypto3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii libkadm5clnt-mit7 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - A
ii libkeyutils1 1.2-12 Linux Key Management Utilities (li
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libkrb5support0 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - S
ii libss2 1.41.9-1 command-line interface parsing lib
krb5-user recommends no packages.
krb5-user suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Krb5 managed to break delegation in the 1.8 series. It sort of mostly worked
delegating from MIT to MIT Kerberos but other combinations were not so lucky.
I suspect that's what is going on here.
If you can still reproduce please reopen the bug, but I'm moderately sure this
is fixed.
--- End Message ---
