Comment 3 for bug 1669033
Revision history for this message
| Sam Hartman (hartmans) wrote Re: [Bug 1669033] Re: Negative interaction with Kerberos | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Can I get you to try turning off GssapiKeyExchange but leaving on
GssapiAuthentic
An unfortunate side effect of the openssh protocol is that if you select
a particular GSS mechanism but cannot complete it, the ssh server has no
choice but to fail the key exchange.
That is, the server and client get exactly one shot to make key exchange
work.
So if one side thinks Kerberos will work and that turns out to not be
the case, you get into this situation.
It may be that the ssh gssapi patches are prematurely committing to key
exchange.
I wonder if you're jumping down the path of iakerb or some other
Kerberos-derived mechanism or something.
What's happening is that the client's initial gss_init_
is succeeding, so the client commits to that key exchange mechanism, but
a couple steps in, the client discovers it cannot get a ticket.
For normal Kerberos, that happens in the first round trip.
This might kind of be our fault.
Our patches add support for arbitrary mechanisms based on their
mechanism attributes rather than having a hard-coded list.
In this instance, we may be regretting that.
I'm not entirely sure what a good solution is here.