id summary reporter owner description type status priority milestone component resolution keywords cc fix_version see_also 495 The new ssh/ticket delegation user experience is terrible jdreed "The combination of the fact that GSSAPIDelegateCredentials is not set on clients and that Debathena's sshd accepts non-delegated credentials is making for a terrible user experience on the dialups. (Whether or not the users *need* to be using the dialups is beside the point.) In the long term, we would modify the patch to sshd on the old dialups, and upstream it, so that this was a configurable option in sshd_config, but that doesn't help us in the short term. We added a warning, but no one reads it, and it doesn't help with SFTP connections. Possibly short term solutions: - Patch sshd on the dialups to restore the old functionality (mmanley is looking into this) - Configure the dialups to run renew on the user's behalf if there are no tickets (this feels like a MitM attack, and will also break non-interactive sessions, or anything using expect(1), and possibly also break other things we haven't thought of) - Configure ssh_config on Debathena to delegate to the dialups (we rejected this before based on security concerns, and also because having host-specific behavior might be more confusing) - Configure the dialups to log you off (with a detailed error message) if you don't have tickets. Frankly, there's no need for anyone to be logged into athena.dialup without tickets/tokens. Anyone who actively _wants_ that situation almost certainly has access to another machine. Or Linerva. " defect closed normal Karmic Deploy (Canceled) -- fixed