Last time I looked at the openssh source code, turning them on could interfere
with the GSSAPI code: notably, it could cause the “old style” ticket forwarding
hack to be attempted instead of GSSAPI credential delegation, which will fail
with GSSAPI credentials.
On 7/15/16, 01:39, "kerberos-boun...@mit.edu on behalf of Benjamin Kaduk"
<kerberos-boun...@mit.edu on behalf of ka...@mit.edu> wrote:
>KerberosAuthentication yes
>KerberosOrLocalPasswd yes
>KerberosTicketCleanup yes
>#KerberosGetAFSToken no
>#KerberosUseKuserok yes
As Brandon said, these are old/deprecated and it is unusual for them to be
the desired configuration. But I don't know enough about what you want in
order to be able to say that for sure.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
