Last time I looked at the openssh source code, turning them on could interfere with the GSSAPI code: notably, it could cause the “old style” ticket forwarding hack to be attempted instead of GSSAPI credential delegation, which will fail with GSSAPI credentials.
On 7/15/16, 01:39, "[email protected] on behalf of Benjamin Kaduk" <[email protected] on behalf of [email protected]> wrote: >KerberosAuthentication yes >KerberosOrLocalPasswd yes >KerberosTicketCleanup yes >#KerberosGetAFSToken no >#KerberosUseKuserok yes As Brandon said, these are old/deprecated and it is unusual for them to be the desired configuration. But I don't know enough about what you want in order to be able to say that for sure. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
