Kerberos, openssh, pam, and Solaris8
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon May 20 13:18:39 EDT 2002
This is indeed a bug that is fixed in Solaris 9 and a patch
for Solaris 8 should be available very shortly.
-Wyllys
Suchun.Wu at bmo.com wrote:
> Hi,
>
> I have downloaded OpenSSH_3.2.2p1 and Kerberos 5.1.2.5 to attempt my chance
> to use kerberos with ssh on solaris 8. The result is negative. It seems
> this time, the credential in /tmp is created with a correct name, i.e.
> krb5cc_(user's UID). But it's still owned by root. As a result, you can
> only gain access once with your password on Kerberos server (in my case, on
> domain controller).
>
> I then tried to use pam_krb5 at http://www.sourceforge.net. But I could not
> get it compiled. When I did "./configure --with-krb5=/usr/local/kerberos",
> I receive the following error message:
>
> checking for krb5_init_context in -lkrb5... no
> configure: error: libkrb5 not found! Please use --with-krb5 to specify an
> alternate basedir
>
> Jason of UofW has mentioned in his previous email that he has raised a
> request of fixing pam_krb5 module with Sun engineers. Whoever gets a fix
> for this, please share it with everyone in the mailing list.
>
> Any hints and helps would be appreciated,
>
> Suchun
>
> -------------------------------------------
>
> From: Steve Langasek <vorlon at dodds.net>
> To: Suchun.Wu at bmo.com
> Cc: kerberos at mit.edu
> Message-ID: <20020516180020.GD15192 at dodds.net>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <OFC9CBBF9E.A4B13235-ON85256BBB.00045ED3 at notes.bmo.com>
> Errors-To: kerberos-admin at mit.edu
> Date: Thu, 16 May 2002 13:00:22 -0500
>
> On Wed, May 15, 2002 at 08:51:41PM -0400, Suchun.Wu at bmo.com wrote:
>
>
>>Do you mean the module called "pam_krb5_migrate"? I'm really anxious to
>>make it work. I would try it if it works for you. I'm sure I understand
>>what you said:
>>"download the pam_krb5 module via cvs". Please give out more detailed
>>specification.
>
>
> pam_krb5_migrate is a stackable module that only provides (as the name
> suggests) a migration path to Kerberos -- it does not provide
> Kerberos authentication services. The module you're looking for is indeed
> called 'pam_krb5', and should be downloaded from sourceforge using cvs
> using the commands listed in the original message. If you don't have cvs
> on your system, perhaps someone else who uses Solaris will be able to tell
> you where to find it.
>
> Steve Langasek
> postmodern programmer
>
>
>>From: user at domain.invalid
>>Message-ID: <3CE1768C.7060803 at domain.invalid>
>>To: kerberos at mit.edu
>>Errors-To: kerberos-admin at mit.edu
>>Date: Tue, 14 May 2002 16:41:48 -0400
>>
>>Suchun Wu wrote:
>>
>>>Yes. I applied the patches posted on openssh web page. I believe
>>
> Jason's
>
>>>comments (after your posting) are correct. He probably has the same
>>
>>problem.
>>
>>>I'll apply his patch and let you know the result.
>>>
>>>Thanks,
>>>
>>>Suchun
>>>
>>
>>Yes this is broken in pam_krb5 from sun, supposedly there is a
>>preliminary patch being developed for it but...
>>
>>go to http://www.sourceforge.net
>>
>>go to find the pam project and download the pam_krb5 module via
>>cvs, (just press enter at the password prompt from the first command)
>>
>>
>>cvs -d:pserver:anonymous at cvs.pam.sourceforge.net:/cvsroot/pam login
>>
>>cvs -z3 -d:pserver:anonymous at cvs.pam.sourceforge.net:/cvsroot/pam co
>>pam_krb5
>>
>>This will download pam_krb5 dir into the current directory. I have had
>>much better luck with this module.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list