OK. The way in which the principal is determined changed between krb5 1.8 and 1.6. In 1.8 the system searches through all the keys in the keytab looking for a key that successfully decrypts a ticket. The server name sent in the ticket over the network is ignored (at least by sshd) and only the key in the keytab's name is used.
So, if you had a key in your keytab with principal name host/a.com and the same key as host/b.com, then 1.8 and 1.6 might have different ideas about what the request was actually from. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org