ssh-krb5 problems

rachel elizabeth dillon red at MIT.EDU
Tue Sep 21 19:28:52 EDT 2004


I just tested this properly with a 1.3.4 implementation I built for someone else
recently; I was incorrect. The only time that the KDC is not queried is if you
do not have tickets to begin with. If you have valid realm tickets but try to
log in with something like "ssh -l fakename valid.host.com", the KDC will 
be queried. I expect this is probably reasonable behavior in both cases.
(The KDC _will_ be queried if you are using PAM to authenticate via Kerberos
with password-interactive, also.)

Sorry to mislead; I tested briefly but didn't actually check to see if I had
tickets before I did so.

-r.


On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
> On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
> >1. Are you trying to ssh as a user that exists on the other machine?
> >If the user does not exist in the other machine's /etc/passwd, then
> >I don't believe the KDC will ever be queried.
> 
> That sounds like an undesirable leak of information from the server, if 
> that's true.
> 
> Ken
> 


More information about the Kerberos mailing list