Wayne Betts wrote:
I inadvertently had sl-contrib enabled on an SL4.6 system and this morning it
updated openssh,
openssh-server, etc, getting them from sl-contrib. For instance:
openssh-server-3.9p1-22.SL.4.22.i386
According to the changelog, the changes appear to only include some bug fixes
compared to the
"stock" SL version (3.9p1-8). But upon logging in, it now tries
(unsuccessfully) to get an AFS
token with the aklog command, which I'd rather it not do. I don't see any
reason for this in the
sshd_config, which matches a box with the 3.9p1-8 version. Specifically, all
the Kerberos options
are commented out:
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
Could the package in sl-contrib be a build for SLF instead of an SL build or
possibly have some
remnant(s) of the changes for SLF/LTS?
I know I can downgrade to the non-contrib version, but am wondering if this
might be a small oops in
the contrib section? Or perhaps I don't understand the contrib section's
purpose. Then again,
perhaps all of this will clear up with the openssh updates due out later today
for other reasons.
-Wayne
Hi Wayne,
This is not an oops, it is on purpose.
From the README in that directory
"These versions of openssh have been patched to be able to use
both the old and the new versions of gssapi. This allows them
to do kerberos authentication with both kerberized openssh before
openssh 3.9, and after openssh 3.9"
But we do not have the openssh server configured so that it does kerberos only,
like we do in SLF's version of openssh-server.
Why?
Well, if we did, you'd be worrying alot more than just having it do aklog when
you log in. You wouldn't be able to log in any other way than kerberos. And I
don't think you want that.
So we have it configured to have the same settings that you get with the
regular openssh-server that you get from RedHat.
Most people who use this version of openssh are really more concerned with
having a openssh client, not the server, that does both the old and new kerberos.
Anyway ... the real problem is that annoying message about doing aklog when you
log in isn't it?
I remember another lab having that problem and we fixed it for them ... I
think. It might have been changing the aklog stuff in /etc/krb5.conf ... but
let me check.
Troy
--
__________________________________________________
Troy Dawson [EMAIL PROTECTED] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
