ftpd and AFS tickets

[Ken Hornstein]

>I get logged in with entering password/passhprase, so GSSAPI works.
>But I have no ticket, not even if requesting a forwardable and/or
>proxiable ticket on my client at home.
>
>Since I don't have a ticket, I can't get a token either... So this
>GSSAPI isn't working, or I'm making a big mistake somewhere...

It sounds like your credentials aren't being forwarded across the
connection (which is a different operation than just authentication).
I'm not sure what triggers that in ssh; ssh people will have to speak
up about that.

>    Ken> Are users typing cleartext passwords inside of ssh?
>
>Ehm... Hu?

I take that as a "no".

>    >> But how about the kerberized FTP/Telnet clients/daemons?
>
>    Ken> We have special versions here that make calls to
>    Ken> setpag()/aklog after tickets have been forwarded so you
>    Ken> always get an AFS token automatically.
>
>Got a patch I can get? PLEASE!?!?! :)

Well ... right now the working patch is for an old version of MIT Kerberos.
I'm in the middle of upgrading everything, but it's all busted now.

Conceptually, the patch is very easy; in login.krb5, just run aklog if
credentials exist.  Probably you could do it in an afternoon.

--Ken