Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 17845

Summary: openssh sshd config file error
Product: [Retired] Red Hat Linux Reporter: Seth Vidal <skvidal>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-02 15:59:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seth Vidal 2000-09-26 03:29:48 UTC 
Hi the sshd_config file in /etc/ssh contains the following lines:
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd no 
#AFSTokenPassing no
#KerberosTicketCleanup no

uncommenting these lines will cause an error claiming that the
configuration directives are incorrect.
 
This appears to be a brokenness in openssh - not in your build of it.

However ssh'ing into a configured kerberos system does not succeed while
using login from the same system on the same account does.

I've checked the pam config for both and b/c of system-auth (pam_stack)
they are both using more or less the same rules (excluding ssh's use of
pam_limit)

nevertheless something is broken - I'll relate more as I know it.

thanks
Comment 1 Pekka Savola 2000-09-26 18:45:18 UTC 
This is a feature or "feature" of OpenSSH.

If certain options (I tried AFSTokenPassing and KerberosTgtPassing myself, a month or two ago),
aren't enabled at compile time, sshd will barf if they're used -- those won't be recognized at all.  
This isn't how it's usually done I think.

-- e.g. from servconf.c ---
[ ... ]
#ifdef KRB4
        oKerberosAuthentication,
#endif /* KRB4 */
#ifdef AFS
        oKerberosTgtPassing, oAFSTokenPassing,
#endif
[ ... ]
---
Comment 2 Nalin Dahyabhai 2000-10-02 01:12:42 UTC 
OpenSSH doesn't yet support Kerberos 5 for authentication, and we're trying to
stay away from using Kerberos IV auth for anything in the distribution.  Local
testing shows that sshd with PAM and pam_krb5 does operate correctly, so I'm not
sure what to make of Seth's results otherwise.
Comment 3 Tomas Mraz 2005-02-02 15:59:01 UTC 
This doesn't seem to me as a real bug (see comment #1, and comment #2).
Maybe we could patch out the commented options from the config file
but it doesn't seem to me to be worth the patch.