peter duff duffpl-spam at
Wed Apr 30 02:30:38 EDT 2003

Hi all -
I have patched openssh 3.4p1 with simon's gssapi patch, (great job by the

I can now run kinit and get a TGT on my workstation, ssh to a remote machine
has a host/ principal and it all works great.

a couple of questions:
1. Does the ssh client support running kinit (locally) to first attempt to
get a tgt if one doesnt exist?  This would be useful at the start of the day
if something like xlock or similar didnt get TGTs (ie when you unlock your
screen, it takes your password and authenticates you).

2. I discovered that if I "ssh localhost", and principal of host/localhost
is requested from the TGS.  This is clearly not desired, but makes perfect
sense.   I hadn't seen this documented, so just wanted to bring it up.  "ssh
my_real_ip" is probably fine from a user point of view.



More information about the Kerberos mailing list