telnet & ftp official status

Ken Hornstein kenh at
Sat Oct 4 20:24:58 EDT 2008

>Sadly, I don't think it would help much.  What the protocol actually 
>carries is a GSS major and minor status and a text message.  A server 
>implementation which does not have intimate details about the underlying 
>GSS-API mechanism implementation can't do much better than to call 
>GSS_Display_status, which returns exactly those values.  Unfortunately, it 
>is all too common for the returned error to be KRB5KRB_ERR_GENERIC, with 
>the real error being buried in a Kerberos protocol field that never gets 

Actually, that's not been my experience.  With the MIT Kerberos gssftp
implementation gss_display_status on the minor error code always ends up
displaying the "real" Kerberos error message, and I don't think I've ever
seen gssftp spit out KRB5KRB_ERR_GENERIC.  It's certainly useful enough
that it's always helped in debugging problems.  Admittedly OpenSSH isn't
the only GSS-API program that likes to hide the real error message (*cough*
kadmin *cough*) but it's certainly possible to return something useful.


More information about the krbdev mailing list