sshd, Tiger and KRB5CCNAME

Alexandra Ellwood lxs at MIT.EDU
Tue Aug 29 10:50:20 EDT 2006



On Aug 29, 2006, at 10:13 AM, Simon Wilkinson wrote:

>
> On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote:
>
>>
>> Is the CCAPI patch even in what went out in the Tiger security
>> update?  AFAICT, it's not, so perhaps the machines where it isn't
>> working have taken the update and the others have not.
>
> No, it is. It looks like the Tiger security update combines the 4.2p1
> OpenSSH release, with the latest version of my GSSAPI patches. These
> patches included CCAPI support, but had a mistake where 'FILE:' was
> appended to the ccname when creating the environment variable for the
> ccache, rather than using 'API:'. You can get access to the delegated
> cache by either changing, or unsetting, your KRB5CCNAME shell variable
>
> GssapiKeyExchange is also present, but is now hidden behind an option
> defaulting to off.
>


Just a quick reminder to everyone being impacted by this issue:

If you would like to see this fixed, please take a moment to file a  
bug report at <http://bugreport.apple.com/>.  If you don't file a  
bug, Apple won't know this is a serious problem and is unlikely to  
fix it promptly.  Even if your bug gets filed as a duplicate, you'll  
be added to the list of impacted people and thus increase the bug's  
priority.  If you're a large site, telling your Apple sales  
representatives that your bug report is a serious issue for your site  
can also help.

Discussing it on this list may cause patches to get generated, but it  
doesn't actually get those patches into a software update.  :-)



--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>





More information about the Kerberos mailing list