Windows clients will handle this automatically by giving the user the
kerberos password prompt. In that case it's done in the kerb library. For
unix (and mac) clients this doesn't happen. The easiest solution is to
wrap the ssh binary with an expiration checker tool. Another route is to
deploy
Hi,
I have deployed a kerberos infrastructure with multiple KDCs. In the
event that a user attempts to log in to a server via ssh with an expired
tgt, the behavior is to check each KDC and then fail. The overall
process takes about 10 seconds, after which ssh moves on to other
authentication ty