Ticket #495 (closed defect: fixed)
The new ssh/ticket delegation user experience is terrible
Reported by: | jdreed | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | Karmic Deploy (Canceled) |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
The combination of the fact that GSSAPIDelegateCredentials is not set on clients and that Debathena's sshd accepts non-delegated credentials is making for a terrible user experience on the dialups. (Whether or not the users *need* to be using the dialups is beside the point.)
In the long term, we would modify the patch to sshd on the old dialups, and upstream it, so that this was a configurable option in sshd_config, but that doesn't help us in the short term.
We added a warning, but no one reads it, and it doesn't help with SFTP connections.
Possibly short term solutions:
- Patch sshd on the dialups to restore the old functionality (mmanley is looking into this)
- Configure the dialups to run renew on the user's behalf if there are no tickets (this feels like a MitM attack, and will also break non-interactive sessions, or anything using expect(1), and possibly also break other things we haven't thought of)
- Configure ssh_config on Debathena to delegate to the dialups (we rejected this before based on security concerns, and also because having host-specific behavior might be more confusing)
- Configure the dialups to log you off (with a detailed error message) if you don't have tickets. Frankly, there's no need for anyone to be logged into athena.dialup without tickets/tokens. Anyone who actively _wants_ that situation almost certainly has access to another machine. Or Linerva.
Change History
Note: See
TracTickets for help on using
tickets.
sshd has been patched on the dialups.
Fixed.