Bug#573739: openssh-client: GSSAPIDelegateCredentials no longer works
Package: openssh-client
Version: 1:5.3p1-3
Severity: normal
GSSAPIDelegateCredentials no longer works for me. Example:
themel@socrates:~$ kinit -f5
Password for themel@CERN.CH:
themel@socrates:~$ grep -A4 lxplus .ssh/config
Host lxplus
ForwardX11 yes
HostName lxplus.cern.ch
GSSAPITrustDns yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Host lxplus*
ForwardX11 yes
GSSAPITrustDns yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
themel@socrates:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:42:39 03/14/10 15:42:38 krbtgt/CERN.CH@CERN.CH
renew until 03/18/10 14:42:38
themel@socrates:~$ ssh lxplus249.cern.ch
[.. banner ..]
/usr/X11R6/bin/xauth: timeout in locking authority file /afs/cern.ch/user/t/themel/.Xauthority
hepix: E: /usr/bin/fs returned error, no tokens?
-bash: /afs/cern.ch/user/t/themel/.bash_profile: Permission denied
[lxplus249] /afs/cern.ch/user/t/themel > klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_32651)
Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >
On an ancient etch machine (OpenSSH 4.3p2):
themel@eristoteles:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:49:31 03/14/10 14:49:31 krbtgt/CERN.CH@CERN.CH
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
themel@eristoteles:~$ ssh lxplus249.cern.ch
[.. banner ..]
[lxplus249] /afs/cern.ch/user/t/themel > klist
Ticket cache: FILE:/tmp/krb5cc_32651_WIyiRn3073
Default principal: themel@CERN.CH
Valid starting Expires Service principal
03/13/10 14:49:38 03/14/10 14:49:31 krbtgt/CERN.CH@CERN.CH
Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >
My somewhat unreliable memory is that this broke with the 5.3 upgrade, but I'm
not a 100% sure about it.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-rc5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii dpkg 1.15.5.6 Debian package management system
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libedit2 2.11-20080614-1 BSD editline and history libraries
ii libgssapi-krb5-2 1.8+dfsg~alpha1-7 MIT Kerberos runtime libraries - k
ii libssl0.9.8 0.9.8m-2 SSL shared libraries
ii passwd 1:4.1.4.2-1 change and administer password and
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.4-1 X authentication utility
Versions of packages openssh-client suggests:
ii keychain 2.6.8-2 key manager for OpenSSH
pn libpam-ssh <none> (no description available)
ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras
ii ssh-askpass-gnome [ssh-askpa 1:5.3p1-3 interactive X program to prompt us
-- no debconf information
--
[*Thomas Themel*] Unskilled and Unaware of It: How Difficulties
[extended contact] in Recognizing One's Own Incompetence Lead to
[info provided in] Inflated Self-Assessments
[*message header*] <http://www.apa.org/journals/psp/psp7761121.html>
Reply to: