Bug 1620

Summary: GSSAPIDelegateCredentials fails silently when given non-forwardable tickets
Product: Portable OpenSSH Reporter: Adam Megacz <megacz>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: normal CC: djm
Priority: P2    
Version: 5.2p1   
Hardware: Other   
OS: All   

Description Adam Megacz 2009-07-10 10:21:24 AEST 
Executing

 ssh -vvv -oGSSApiAuthentication=on -oGSSApiDelegateCredentials=on host

produces no error messages if the tickets in the client's credentials cache are of the non-forwardable variety.  I'm not sure if this is a client or server bug, but one of them should produce some sort of message to explain why the user winds up logged in with no tickets.
Comment 1 Damien Miller 2009-09-09 10:40:54 AEST 
I don't think that there is any error here. Non-forwardable tickets are not an error condition and neither is using GSSAPIDeletegateCredentials with no forwardable tickets.

Also, it doesn't look like the GSSAPI provides an easy way for us to identify this case (but I am no expert on it).
Comment 2 Adam Megacz 2009-09-10 04:01:14 AEST 
I don't think they're an error condition in general, unless the user has explicitly asked them to be forwarded with "-oGSSApiDelegateCredentials=on".  In that case openssh ought to inform the user that it was unable to carry out her explicit request.