telnet & ftp official status
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sat Oct 4 20:24:58 EDT 2008
>Sadly, I don't think it would help much. What the protocol actually
>carries is a GSS major and minor status and a text message. A server
>implementation which does not have intimate details about the underlying
>GSS-API mechanism implementation can't do much better than to call
>GSS_Display_status, which returns exactly those values. Unfortunately, it
>is all too common for the returned error to be KRB5KRB_ERR_GENERIC, with
>the real error being buried in a Kerberos protocol field that never gets
>extracted.
Actually, that's not been my experience. With the MIT Kerberos gssftp
implementation gss_display_status on the minor error code always ends up
displaying the "real" Kerberos error message, and I don't think I've ever
seen gssftp spit out KRB5KRB_ERR_GENERIC. It's certainly useful enough
that it's always helped in debugging problems. Admittedly OpenSSH isn't
the only GSS-API program that likes to hide the real error message (*cough*
kadmin *cough*) but it's certainly possible to return something useful.
--Ken
More information about the krbdev
mailing list