GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH principals?
Russ Allbery
rra at stanford.edu
Thu Jun 3 00:04:32 EDT 2010
Adam Megacz <megacz at cs.berkeley.edu> writes:
> I find that OpenSSH (5.1p1 on both sides) will silently refuse to
> delegate credentials if the principal being delegated lacks the
> REQUIRES_PRE_AUTH attribute. Adding that attribute at the KDC and
> re-issuing the principal's tickets causes everything to work perfectly.
> Is this behavior intentional?
Check the host/* principal on the system to which you were authenticating.
I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that
only tickets that are pre-authenticated can authenticate to that service
principal.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list