Last time I looked at the openssh source code, turning them on could interfere with the GSSAPI code: notably, it could cause the “old style” ticket forwarding hack to be attempted instead of GSSAPI credential delegation, which will fail with GSSAPI credentials.
On 7/15/16, 01:39, "kerberos-boun...@mit.edu on behalf of Benjamin Kaduk" <kerberos-boun...@mit.edu on behalf of ka...@mit.edu> wrote: >KerberosAuthentication yes >KerberosOrLocalPasswd yes >KerberosTicketCleanup yes >#KerberosGetAFSToken no >#KerberosUseKuserok yes As Brandon said, these are old/deprecated and it is unusual for them to be the desired configuration. But I don't know enough about what you want in order to be able to say that for sure. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos