[OpenAFS] New OpenSSH-3.7p1 removes AFS support

Andreas Haupt ahaupt@ifh.de
Wed, 17 Sep 2003 09:53:42 +0200 (MEST)

On Tue, 16 Sep 2003, Alf Wachsmann wrote:

> On Tue, 16 Sep 2003, J Maynard Gelinas wrote:
> >   This may be slightly off-topic for the OpenAFS list, but the latest
> > OpenSSH-3.7p1 removes support for AFS, writing Kerberos 5 tickets to files
> > (in memory now), and Kerberos 4. Since an exploit for all previous OpenSSH
> > releases has just been announced, I'm somewhat confused about how to
> > handle this mess. Can anyone suggest a solution for remote logins which
> > supports SSH protocols 1 & 2, AFS and Kerberos, and builds properly on
> > Redhat Linux 7.x?
> We are patching the last version (3.6.1p2) of OpenSSH that still supports
> AFS. The patch for this new bug is small enough to do this:
> http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=

Yes, we had to do this as well. Somehow the Kerberos5 credentials
forwarding does not work in 3.7.1p1 with GSSAPI - the authentication
itself works. It's built against Heimdal. On the server side I just get:

debug1: No credentials stored

With the GSSAPI Patch for 3.6.1p2 this worked! Strange...


Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen