* Russ Allbery ([EMAIL PROTECTED]) wrote: > Stephen Frost <[EMAIL PROTECTED]> writes: > > I just compiled Debian's 4.1p1 ssh w/ Simon's latest gssapi-keyx > > patch, and everything appears to have worked reasonably well, so, > > please update the packages to the more recent versions... > > The Kerberos patches have now been incorporated into the main Debian > openssh package, so the openssh-krb5 package will hopefully be going away > rather than moving to the latest version. Please give the current openssh > packages in unstable a try and see if they do everything you need. > > I'm trying to see if openssh-krb5 is going to need one final security > release or if it can just be retired at this point. (And also want to > make sure that the basic openssh packages now cover everything.)
This is kind of amusing. I was the one who pushed getting Simon's
gssapi-keyx patch into the main Debian openssh package. :) Yes, the new
packages work quite nicely. The only exception to that is that when
using a recent release of OpenSSH (so this would apply to openssh-krb5
if it was ever updated) libpam-krb5 is unable to generate the host
tickets in the appropriate spot. My understanding is that someone
(dilinger I think) is working on improving libpam-krb5 and hopefully
fixing this issue.
A workaround for this issue is to just ask users to kinit after they log
in. Not exactly perfect but certainly a workable solution till
libpam-krb5 gets fixed.
Thanks,
Stephen
signature.asc
Description: Digital signature
