Kerberos Ticket forwarding :: Support Forum

Christopher Guest

Kerberos Ticket forwarding

2006-07-02 16:35

Hi,

Kerberos authentication works really well, thanks a lot. But there is one small feature that lacks: Ticket forwarding. We use Kerberos at our university for nearly everything, even for the network filesystem (AFS, Andrew Filesystem). Without the ticket (TGT) there is no access to the home directory.

Would it be possible to add this small feature? Maybe as a configuration option (forward TGT to remote site)?

Thank you for this excellent program,

Christopher

Reply with quote

Christopher Guest

Re: Kerberos Ticket forwarding

2006-07-02 17:36

Hi,

just to mention: Just at the bottom of
<invalid hyperlink removed by admin>
I found the patch to PuTTY which adds GSSAPI support with ticket forwarding. Maybe that helps.

Thanks,
Christopher

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,442
Location:: Prague, Czechia

Re: Kerberos Ticket forwarding

2006-07-06

I'll check it.

Reply with quote

Christopher Guest

Re: Kerberos Ticket forwarding

2006-08-13 10:22

The interesting part is in ssh.c:

int deleg_flag = 0;
 
if (deleg_creds) {
        deleg_flag = GSS_C_DELEG_FLAG;
        logevent("GSSAPI: delegating credentials");
}
 
ctx->major = gss_init_sec_context(&ctx->minor,
    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

If deleg_creds is set, credentials should be forwarded. This variable is mapped to ssh->cfg.gssapi_fwd_tgt. But: gssapi_fwd_tgt is not mentioned anywhere else in the source. So it seems to me that there is simply no connection between the GUI check box and this variable.

To check if this really is the missing piece, could you just build a test version with deleg_creds hard set to 1? I don't have any Borland compiler around...

Thanks,
Christopher

Reply with quote