[32409] in Kerberos
Re: GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jun 3 00:04:37 2010
From: Russ Allbery <rra@stanford.edu>
To: Adam Megacz <megacz@cs.berkeley.edu>
In-Reply-To: <xuu2mxvcbx69.fsf@gentzen.megacz.com> (Adam Megacz's message of
"Thu, 03 Jun 2010 03:41:02 +0000")
Date: Wed, 02 Jun 2010 21:04:32 -0700
Message-ID: <87d3w83gof.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Adam Megacz <megacz@cs.berkeley.edu> writes:
> I find that OpenSSH (5.1p1 on both sides) will silently refuse to
> delegate credentials if the principal being delegated lacks the
> REQUIRES_PRE_AUTH attribute. Adding that attribute at the KDC and
> re-issuing the principal's tickets causes everything to work perfectly.
> Is this behavior intentional?
Check the host/* principal on the system to which you were authenticating.
I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that
only tickets that are pre-authenticated can authenticate to that service
principal.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
