sshd, Tiger and KRB5CCNAME
Alexandra Ellwood
lxs at MIT.EDU
Tue Aug 29 10:50:20 EDT 2006
On Aug 29, 2006, at 10:13 AM, Simon Wilkinson wrote:
>
> On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote:
>
>>
>> Is the CCAPI patch even in what went out in the Tiger security
>> update? AFAICT, it's not, so perhaps the machines where it isn't
>> working have taken the update and the others have not.
>
> No, it is. It looks like the Tiger security update combines the 4.2p1
> OpenSSH release, with the latest version of my GSSAPI patches. These
> patches included CCAPI support, but had a mistake where 'FILE:' was
> appended to the ccname when creating the environment variable for the
> ccache, rather than using 'API:'. You can get access to the delegated
> cache by either changing, or unsetting, your KRB5CCNAME shell variable
>
> GssapiKeyExchange is also present, but is now hidden behind an option
> defaulting to off.
>
Just a quick reminder to everyone being impacted by this issue:
If you would like to see this fixed, please take a moment to file a
bug report at <http://bugreport.apple.com/>. If you don't file a
bug, Apple won't know this is a serious problem and is unlikely to
fix it promptly. Even if your bug gets filed as a duplicate, you'll
be added to the list of impacted people and thus increase the bug's
priority. If you're a large site, telling your Apple sales
representatives that your bug report is a serious issue for your site
can also help.
Discussing it on this list may cause patches to get generated, but it
doesn't actually get those patches into a software update. :-)
--lxs
Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>
More information about the Kerberos
mailing list