Ticket #495 (closed defect: fixed)

Opened 14 years ago

Last modified 14 years ago

The new ssh/ticket delegation user experience is terrible

Reported by: jdreed Owned by:
Priority: normal Milestone: Karmic Deploy (Canceled)
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:


The combination of the fact that GSSAPIDelegateCredentials is not set on clients and that Debathena's sshd accepts non-delegated credentials is making for a terrible user experience on the dialups. (Whether or not the users *need* to be using the dialups is beside the point.)

In the long term, we would modify the patch to sshd on the old dialups, and upstream it, so that this was a configurable option in sshd_config, but that doesn't help us in the short term.

We added a warning, but no one reads it, and it doesn't help with SFTP connections.

Possibly short term solutions:

  • Patch sshd on the dialups to restore the old functionality (mmanley is looking into this)
  • Configure the dialups to run renew on the user's behalf if there are no tickets (this feels like a MitM attack, and will also break non-interactive sessions, or anything using expect(1), and possibly also break other things we haven't thought of)
  • Configure ssh_config on Debathena to delegate to the dialups (we rejected this before based on security concerns, and also because having host-specific behavior might be more confusing)
  • Configure the dialups to log you off (with a detailed error message) if you don't have tickets. Frankly, there's no need for anyone to be logged into athena.dialup without tickets/tokens. Anyone who actively _wants_ that situation almost certainly has access to another machine. Or Linerva.

Change History

comment:1 Changed 14 years ago by jdreed

  • Status changed from new to closed
  • Resolution set to fixed

sshd has been patched on the dialups.


Note: See TracTickets for help on using tickets.