sshd, Tiger and KRB5CCNAME

Alexandra Ellwood lxs at MIT.EDU
Tue Aug 29 10:50:20 EDT 2006

On Aug 29, 2006, at 10:13 AM, Simon Wilkinson wrote:

> On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote:
>> Is the CCAPI patch even in what went out in the Tiger security
>> update?  AFAICT, it's not, so perhaps the machines where it isn't
>> working have taken the update and the others have not.
> No, it is. It looks like the Tiger security update combines the 4.2p1
> OpenSSH release, with the latest version of my GSSAPI patches. These
> patches included CCAPI support, but had a mistake where 'FILE:' was
> appended to the ccname when creating the environment variable for the
> ccache, rather than using 'API:'. You can get access to the delegated
> cache by either changing, or unsetting, your KRB5CCNAME shell variable
> GssapiKeyExchange is also present, but is now hidden behind an option
> defaulting to off.

Just a quick reminder to everyone being impacted by this issue:

If you would like to see this fixed, please take a moment to file a  
bug report at <>.  If you don't file a  
bug, Apple won't know this is a serious problem and is unlikely to  
fix it promptly.  Even if your bug gets filed as a duplicate, you'll  
be added to the list of impacted people and thus increase the bug's  
priority.  If you're a large site, telling your Apple sales  
representatives that your bug report is a serious issue for your site  
can also help.

Discussing it on this list may cause patches to get generated, but it  
doesn't actually get those patches into a software update.  :-)


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the Kerberos mailing list