Bug#413846: Acknowledgement (openssh-client: post-4.3p2-6 openssh gets kerberos-related hang (non-root only))
Russ Allbery <rra@debian.org> wrote:
> Jim Meyering <jim@meyering.net> writes:
>
>> You asked for details, so I've dug a little more.
>
>> I had an active Kerberos ticket for a domain that was currently only
>> partially accessible (VPN is up only some of the time, and sometimes
>> there are only partial routes). When I run kdestroy, it removes the
>> file in /tmp that ssh was reading from (to get the name of the
>> unreachable system it hung on, while trying to "sendto"). Once that
>> file, /tmp/krb5cc_1000, was removed, ssh no longer needed the -o
>> 'GSSAPIAuthentication no' option to work properly.
>
>> Is that enough to go on?
>
> Ah, okay, so not Avahi. You have a valid Kerberos configuration and
> active Kerberos tickets, so ssh wants to do GSSAPI authentication, but
> your connection to your Kerberos realm is very slow or just times out. Is
> that a correct summary?
Almost. The only difference is that there seems to be no time-out.
In one case today, I let ssh "hang" for well over an hour.
> I *hope* it's not particularly common to have Kerberos tickets for a realm
> that isn't responding.
Reply to: