Bug 17845 - openssh sshd config file error
openssh sshd config file error
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-25 23:29 EDT by Seth Vidal
Modified: 2007-04-18 12:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-02 10:59:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Seth Vidal 2000-09-25 23:29:48 EDT
Hi the sshd_config file in /etc/ssh contains the following lines:
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd no 
#AFSTokenPassing no
#KerberosTicketCleanup no

uncommenting these lines will cause an error claiming that the
configuration directives are incorrect.
 
This appears to be a brokenness in openssh - not in your build of it.

However ssh'ing into a configured kerberos system does not succeed while
using login from the same system on the same account does.

I've checked the pam config for both and b/c of system-auth (pam_stack)
they are both using more or less the same rules (excluding ssh's use of
pam_limit)

nevertheless something is broken - I'll relate more as I know it.

thanks
Comment 1 Pekka Savola 2000-09-26 14:45:18 EDT
This is a feature or "feature" of OpenSSH.

If certain options (I tried AFSTokenPassing and KerberosTgtPassing myself, a month or two ago),
aren't enabled at compile time, sshd will barf if they're used -- those won't be recognized at all.  
This isn't how it's usually done I think.

-- e.g. from servconf.c ---
[ ... ]
#ifdef KRB4
        oKerberosAuthentication,
#endif /* KRB4 */
#ifdef AFS
        oKerberosTgtPassing, oAFSTokenPassing,
#endif
[ ... ]
---
Comment 2 Nalin Dahyabhai 2000-10-01 21:12:42 EDT
OpenSSH doesn't yet support Kerberos 5 for authentication, and we're trying to
stay away from using Kerberos IV auth for anything in the distribution.  Local
testing shows that sshd with PAM and pam_krb5 does operate correctly, so I'm not
sure what to make of Seth's results otherwise.
Comment 3 Tomas Mraz 2005-02-02 10:59:01 EST
This doesn't seem to me as a real bug (see comment #1, and comment #2).
Maybe we could patch out the commented options from the config file
but it doesn't seem to me to be worth the patch.

Note You need to log in before you can comment on or make changes to this bug.