This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0.
Description
The ssh client program does not honor the ok-as-delegate flag set in Kerberos service tickets by Active Directory. This means the program may delegate a TGT ticket granting ticket to the remote side even if the ok-as-delegate flag is not set.
Resolution / Workaround
This issue can be resolved by applying hotfix HFBM-0140 (BoKS 6.7) or HFBM-0141 (BoKS 7.0), available for download from the HelpSystems Community Portal.
After installing this hotfix, set SSH_KRB_OK_AS_DELEGATE=on in the $BOKS_etc/ENV file to enable support in ssh for the ok-as-delegate flag.
The SSH_KRB_OK_AS_DELEGATE=on setting is needed as this is a change of functionality in the SSH client and this must be explicitly enabled. GSSAPIDelegateCredentials must also be set to yes in $BOKS_etc/ssh/ssh_config to enable delegation at all, but this is the default.
This hotfix applies to all BoKS hosts: Master, Replicas and Server Agents.
Still have questions? We can help. Submit a case to Technical Support.
