#573739 openssh-client: GSSAPIDelegateCredentials no longer works

Package:
openssh-client
Source:
openssh
Description:
secure shell (SSH) client, for secure access to remote machines
Submitter:
Thomas Themel
Date:
2010-03-13 14:33:05 UTC
Severity:
normal
#573739#5
Date:
2010-03-13 14:23:51 UTC
From:
To:
GSSAPIDelegateCredentials no longer works for me. Example:

themel@socrates:~$ kinit -f5
Password for themel@CERN.CH:
themel@socrates:~$ grep -A4 lxplus .ssh/config
Host lxplus
        ForwardX11 yes
        HostName lxplus.cern.ch
        GSSAPITrustDns yes
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes

Host lxplus*
        ForwardX11 yes
        GSSAPITrustDns yes
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
themel@socrates:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH

Valid starting     Expires            Service principal
03/13/10 14:42:39  03/14/10 15:42:38  krbtgt/CERN.CH@CERN.CH
        renew until 03/18/10 14:42:38
themel@socrates:~$ ssh lxplus249.cern.ch
[.. banner ..]
/usr/X11R6/bin/xauth:  timeout in locking authority file /afs/cern.ch/user/t/themel/.Xauthority
hepix: E: /usr/bin/fs returned error, no tokens?
-bash: /afs/cern.ch/user/t/themel/.bash_profile: Permission denied
[lxplus249] /afs/cern.ch/user/t/themel > klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_32651)


Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >

On an ancient etch machine (OpenSSH 4.3p2):

themel@eristoteles:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: themel@CERN.CH

Valid starting     Expires            Service principal
03/13/10 14:49:31  03/14/10 14:49:31  krbtgt/CERN.CH@CERN.CH


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
themel@eristoteles:~$ ssh lxplus249.cern.ch
[.. banner ..]
[lxplus249] /afs/cern.ch/user/t/themel > klist
Ticket cache: FILE:/tmp/krb5cc_32651_WIyiRn3073
Default principal: themel@CERN.CH

Valid starting     Expires            Service principal
03/13/10 14:49:38  03/14/10 14:49:31  krbtgt/CERN.CH@CERN.CH


Kerberos 4 ticket cache: /tmp/tkt32651
klist: You have no tickets cached
[lxplus249] /afs/cern.ch/user/t/themel >

My somewhat unreliable memory is that this broke with the 5.3 upgrade, but I'm
not a 100% sure about it.