Bug 129293 - kerberos ticket forwarding support on openssh
Summary: kerberos ticket forwarding support on openssh
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-05 22:30 UTC by Franco M. Bladilo
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-09 13:51:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Franco M. Bladilo 2004-08-05 22:30:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
We need kerberos ticket forwarding support on openssh, our
infrastructure is being
kerberized and many users have already complained about this feature
missing on RHEL3.



Version-Release number of selected component (if applicable):
openssh-3.6.1p2-33.30.1

How reproducible:
Always

Steps to Reproduce:
1.Use the RHEL WS U2 provided openssh (openssh-3.6.1p2-33.30.1)
2.
3.
    

Actual Results:  No kerberos ticket forwarding support.


Additional info:

Comment 1 Jonathan Reed 2004-08-11 19:19:45 UTC
Personally, I think this bug is more than just an "enhancement"

Here at MIT we're running into this issue.  The SPEC file for the SRPM has this neat little 
line in it:

# Apply gss-specific patches only if the release tag includes "gss".  (Not
# to be used for actual releases until it's in the mainline.)
if echo "%{release}" | grep -q gss; then
%patch11 -p1 -b .gssapi
autoreconf
fi

If you add 'gss' to the release tag, or simply comment out the "if" clause, and rebuild the 
RPM, the patch gets applied, and ssh behaves as expected.  

It's most unfortunate that the GSSAPI patch has been left out of the mainline release.  It's 
been around for quite some time, and is in widespread use in other distributions.  Without 
this patch, OpenSSH is mostly useless in any Kerberized infrastructure.  Is there any 
chance that this patch can make into mainline releases before RHEL 4.0?  Alternatively, can 
you provide two packages, one with GSSAPI, and one without, until such time?  Having an 
OpenSSH client with Kerberos support in this half-broken state is alienating a number of 
large educational institutions.

Comment 2 seph 2004-09-15 20:14:01 UTC
particularly as authconfig supports kerberos. Are there any plans to
fix this, or has it fallen through the cracks since it's flagged as an
enhancement?

Comment 3 Tomas Mraz 2005-02-09 13:51:01 UTC
No, there are currently no such plans and note that the patch in the
SRPM is incompatible with the gssapi implementation in the current
openssh-3.9p1.


Note You need to log in before you can comment on or make changes to this bug.