who's maintaining the GSSAPI patch?

To: debian-ssh@lists.debian.org
Subject: who's maintaining the GSSAPI patch?
From: Christoph Anton Mitterer <calestyo@scientia.org>
Date: Tue, 09 May 2023 04:04:58 +0200
Message-id: <[🔎] cc775d04ce32f4fe8a5b4f29b4b4e9f1a1d91d0c.camel@scientia.org>

Hey.

I've wondered whether the GSSAPI patch is still maintained at
https://github.com/openssh-gsskex/openssh-gsskex/
or somewhere else?


Reason for asking is that the following doesn't work completely:

When I have set up a user krb keytab (i.e. in order to get krb tickets
without having to manually enter a passphrase) and login to some host
which is configured to use GSSAPI, then the system seems to be so good
to actually use the user krb keytab and generate a ticket for the
confiugred GSSAPIClientIdentity.

So far so good.


But I actually have krb accounts at several different organisations and
every once in a while, I connect to hosts of these at the "same" time.

At this point, the system fails. As soon as I already have a krb
ticket, it doesn't request another one (e.g. by deleting the current
one) and the login simply fails until I do kdestroy.


I guess the best thing would be if the GSSAPI patch could make use of
KRB5CCNAME env var style cache locations per realm... and not change
the default cache at all.

Hopes are, that this would then allow one to ssh to hosts from
different reals and things would again work out-of-the-box.



Thanks,
Chris.

Reply to:

Prev by Date: Bug#1035754: openssh-server: PermitEmptyPasswords=yes causes login to take 2-4s by enabling PAM password check
Next by Date: Bug#998834: Multiple subsystem options in sshd_config prevent sshd from starting
Previous by thread: Bug#1035754: openssh-server: PermitEmptyPasswords=yes causes login to take 2-4s by enabling PAM password check
Next by thread: Bug#998834: Multiple subsystem options in sshd_config prevent sshd from starting
Index(es):
- Date
- Thread