Bug#567499: krb5-user: Problem forwarding TGT via ssh

Fri, 29 Jan 2010 06:12:20 -0800 

Package: krb5-user
Version: 1.8+dfsg~alpha1-5
Severity: normal


This is actually more of a heads-up than an actual bug report, so please feel 
free to close as "invalid".

We have recently encountered problems with TGT forwarding via ssh from squeeze 
clients to RHEL5 servers. The actual authentication does work so we suspect 
that the TGT either gets malformed or misinterpreted somewhere on the way. This 
seems to be related to the use of AES-256 encryption as a default instead of 
DES in recent versions of kerberos as setting use_weak_crypto to true in 
/etc/krb5.conf seems to solve the problem.

For more details please look at the similarly-not-quite-a-bug-report filled 
against the sshd of RHEL5.
https://bugzilla.redhat.com/show_bug.cgi?id=559866

Unless this turns out to be a clear-cut SSH client bug in "testing" (that would 
get fixed on the next update), the implications might be pretty bad for actual 
production users. Perhaps it is worthwhile to get this debugged and impact 
understood while the new configuration is still in testing.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages krb5-user depends on:
ii  krb5-config            2.2               Configuration files for Kerberos V
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libcomerr2             1.41.9-1          common error description library
ii  libgssapi-krb5-2       1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii  libgssrpc4             1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - G
ii  libk5crypto3           1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii  libkadm5clnt-mit7      1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - A
ii  libkeyutils1           1.2-12            Linux Key Management Utilities (li
ii  libkrb5-3              1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii  libkrb5support0        1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - S
ii  libss2                 1.41.9-1          command-line interface parsing lib

krb5-user recommends no packages.

krb5-user suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to