Ticket #653 (accepted defect)

Opened 11 years ago

Last modified 5 years ago

send something to upstream about the GSSAPIKeyExchange missing keytab problem

Reported by: geofft Owned by: achernya
Priority: normal Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

We locally fixed #315 by hacking on the initscript. There are some somewhat-more-upstreamable solutions proposed in my comment involving hacking the source instead; we should report this upstream and preferably send them a patch to do one of those solutions.

I think a server-side fix is preferable to a client-side fix.

Change History

comment:1 Changed 11 years ago by geofft

This is a little more general than just a missing remote keytab, by the way; I ran into this and briefly got highly confused wen I had local clock skew.

comment:2 Changed 10 years ago by achernya

  • Owner set to achernya
  • Status changed from new to accepted

comment:3 Changed 9 years ago by ghudson

It's conceivable that this is fixed in krb5 1.11, since gss_acquire_cred for gss-krb5 acceptor credentials will fail immediately if the keytab doesn't exist.

comment:4 Changed 5 years ago by andersk

For the record, this is still a problem in Ubuntu 16.04 (krb5 1.13.2+dfsg-5, openssh-server 7.2p2-4ubuntu1). However, we’re removing the workaround of #315 because we now expect clients not to have GSSAPIKeyExchange on (#1386), and because the workaround broke ssh under systemd (#1562).

Last edited 5 years ago by andersk (previous) (diff)
Note: See TracTickets for help on using tickets.