Bug 1620 - GSSAPIDelegateCredentials fails silently when given non-forwardable tickets
Summary: GSSAPIDelegateCredentials fails silently when given non-forwardable tickets
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 5.2p1
Hardware: Other All
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-10 10:21 AEST by Adam Megacz
Modified: 2009-09-10 04:01 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Megacz 2009-07-10 10:21:24 AEST 
Executing

 ssh -vvv -oGSSApiAuthentication=on -oGSSApiDelegateCredentials=on host

produces no error messages if the tickets in the client's credentials cache are of the non-forwardable variety.  I'm not sure if this is a client or server bug, but one of them should produce some sort of message to explain why the user winds up logged in with no tickets.
Comment 1 Damien Miller 2009-09-09 10:40:54 AEST 
I don't think that there is any error here. Non-forwardable tickets are not an error condition and neither is using GSSAPIDeletegateCredentials with no forwardable tickets.

Also, it doesn't look like the GSSAPI provides an easy way for us to identify this case (but I am no expert on it).
Comment 2 Adam Megacz 2009-09-10 04:01:14 AEST 
I don't think they're an error condition in general, unless the user has explicitly asked them to be forwarded with "-oGSSApiDelegateCredentials=on".  In that case openssh ought to inform the user that it was unable to carry out her explicit request.