Kerberos, openssh, pam, and Solaris8

Suchun.Wu@bmo.com Suchun.Wu at bmo.com
Fri May 17 21:07:15 EDT 2002 

Hi,

I have downloaded OpenSSH_3.2.2p1 and Kerberos 5.1.2.5 to attempt my chance
to use kerberos with ssh on solaris 8. The result is negative. It seems
this time, the credential in /tmp is created with a correct name, i.e.
krb5cc_(user's UID). But it's still owned by root. As a result, you can
only gain access once with your password on Kerberos server (in my case, on
domain controller).

I then tried to use pam_krb5 at http://www.sourceforge.net. But I could not
get it compiled. When I did "./configure --with-krb5=/usr/local/kerberos",
I receive the following error message:

checking for krb5_init_context in -lkrb5... no
configure: error: libkrb5 not found!  Please use --with-krb5 to specify an
alternate basedir

Jason of UofW has mentioned in his previous email that he has raised a
request of fixing pam_krb5 module with Sun engineers. Whoever gets a fix
for this, please share it with everyone in the mailing list.

Any hints and helps would be appreciated,

Suchun

-------------------------------------------

From: Steve Langasek <vorlon at dodds.net>
To: Suchun.Wu at bmo.com
Cc: kerberos at mit.edu
Message-ID: <20020516180020.GD15192 at dodds.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <OFC9CBBF9E.A4B13235-ON85256BBB.00045ED3 at notes.bmo.com>
Errors-To: kerberos-admin at mit.edu
Date: Thu, 16 May 2002 13:00:22 -0500

On Wed, May 15, 2002 at 08:51:41PM -0400, Suchun.Wu at bmo.com wrote:

> Do you mean the module called "pam_krb5_migrate"? I'm really anxious to
> make it work. I would try it if it works for you. I'm sure I understand
> what you said:
> "download the pam_krb5 module via cvs". Please give out more detailed
> specification.

pam_krb5_migrate is a stackable module that only provides (as the name
suggests) a migration path to Kerberos -- it does not provide
Kerberos authentication services.  The module you're looking for is indeed
called 'pam_krb5', and should be downloaded from sourceforge using cvs
using the commands listed in the original message.  If you don't have cvs
on your system, perhaps someone else who uses Solaris will be able to tell
you where to find it.

Steve Langasek
postmodern programmer

> From: user at domain.invalid
> Message-ID: <3CE1768C.7060803 at domain.invalid>
> To: kerberos at mit.edu
> Errors-To: kerberos-admin at mit.edu
> Date: Tue, 14 May 2002 16:41:48 -0400
>
> Suchun Wu wrote:
> > Yes. I applied the patches posted on openssh web page. I believe
Jason's
> > comments (after your posting) are correct. He probably has the same
> problem.
> > I'll apply his patch and let you know the result.
> >
> > Thanks,
> >
> > Suchun
> >
>
> Yes this is broken in pam_krb5 from sun, supposedly there is a
> preliminary patch being developed for it but...
>
> go to http://www.sourceforge.net
>
> go to find the pam project and download the pam_krb5 module via
> cvs, (just press enter at the password prompt from the first command)
>
>
> cvs -d:pserver:anonymous at cvs.pam.sourceforge.net:/cvsroot/pam login
>
> cvs -z3 -d:pserver:anonymous at cvs.pam.sourceforge.net:/cvsroot/pam co
> pam_krb5
>
> This will download pam_krb5 dir into the current directory. I have had
> much better luck with this module.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list