I just tested this properly with a 1.3.4 implementation I built for someone else recently; I was incorrect. The only time that the KDC is not queried is if you do not have tickets to begin with. If you have valid realm tickets but try to log in with something like "ssh -l fakename valid.host.com", the KDC will be queried. I expect this is probably reasonable behavior in both cases. (The KDC _will_ be queried if you are using PAM to authenticate via Kerberos with password-interactive, also.)
Sorry to mislead; I tested briefly but didn't actually check to see if I had tickets before I did so. -r. On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote: > On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote: > >1. Are you trying to ssh as a user that exists on the other machine? > >If the user does not exist in the other machine's /etc/passwd, then > >I don't believe the KDC will ever be queried. > > That sounds like an undesirable leak of information from the server, if > that's true. > > Ken > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
