Bug 1868

Summary: 'ssh -k' should explicitly disable gss auth
Product: Portable OpenSSH Reporter: Frank Cusack <frank+ssh>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: All   

Description Frank Cusack 2011-02-24 13:44:06 AEDT 
in ssh.c, the option handling for 'k' should disable gss auth.  There should be an explicit

  options.gss_authentication = 0;

at ssh.c:362, mirroring the 'K' option handling just below that line.
Comment 1 Damien Miller 2011-05-06 11:58:44 AEST 
I think the issue here is that -K and -k are not completely symmetrical:

>  -K   Enables GSSAPI-based authentication and forwarding (delegation)
>       of GSSAPI credentials to the server.
> 
>  -k   Disables forwarding (delegation) of GSSAPI credentials to the
>       server.

I think the rationale is that delegation requires authentication to be useful, but disabling delegation without disabling authentication is a useful thing to do too.
Comment 2 Frank Cusack 2011-05-11 06:40:10 AEST 
My mistake.  Current usage is fine.
Comment 3 Damien Miller 2011-09-06 15:32:56 AEST 
close resolved bugs now that openssh-5.9 has been released