Hi Sam, thanks for bearing with us!
On Thu, Nov 25, 2010 at 02:01:02PM -0500, Sam Hartman wrote: > OK. The way in which the principal is determined changed between krb5 > 1.8 and 1.6. In 1.8 the system searches through all the keys in the > keytab looking for a key that successfully decrypts a ticket. The > server name sent in the ticket over the network is ignored (at least by > sshd) and only the key in the keytab's name is used. > > So, if you had a key in your keytab with principal name host/a.com and > the same key as host/b.com, then 1.8 and 1.6 might have different ideas > about what the request was actually from. We verified that keys are not shared among hosts. Each host has its unique key. Looks like we are getting nowhere without a deeper look, unless you have more ideas I could quickly check. How would you use 1.9 on squeeze? Compile from source? Just use experimental packages? Rebuild or backport them? Helmut -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
