1868 – 'ssh -k' should explicitly disable gss auth

Bug 1868 - 'ssh -k' should explicitly disable gss auth

Summary: 'ssh -k' should explicitly disable gss auth

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Kerberos support (show other bugs)
Version:	5.8p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-24 13:44 AEDT by Frank Cusack
Modified:	2011-09-06 15:32 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Frank Cusack 2011-02-24 13:44:06 AEDT

in ssh.c, the option handling for 'k' should disable gss auth.  There should be an explicit

  options.gss_authentication = 0;

at ssh.c:362, mirroring the 'K' option handling just below that line.

Comment 1 Damien Miller 2011-05-06 11:58:44 AEST

I think the issue here is that -K and -k are not completely symmetrical:

>  -K   Enables GSSAPI-based authentication and forwarding (delegation)
>       of GSSAPI credentials to the server.
> 
>  -k   Disables forwarding (delegation) of GSSAPI credentials to the
>       server.

I think the rationale is that delegation requires authentication to be useful, but disabling delegation without disabling authentication is a useful thing to do too.

Comment 2 Frank Cusack 2011-05-11 06:40:10 AEST

My mistake.  Current usage is fine.

Comment 3 Damien Miller 2011-09-06 15:32:56 AEST

close resolved bugs now that openssh-5.9 has been released