SSH, Solaris 8 Kerberos Client and Windows 2000 KDC

[Candice Quates]

In article <00fc01c24da2$ff3be030$ad978dca at sharayu>,
Parag Godkar <paragg at konark.ncst.ernet.in> wrote:
><snipped>
>However, when people ssh to solaris 8 servers - following
>symptoms are observed -
>
>1. People can ssh once and login. But another ssh session is 
>    denied.
>
>2. Running the "klist" command in the logged in session
>    of ssh gives the following error -
>
>    klist: Credentials cache file permissions incorrect 
>            while setting cache flags (ticket cache /tmp/krb5cc_1003)
>    
>    I checked the permissions in /tmp and observed that the 
>    cache is owned by "root" instead of the logged in person.
>
>3. After the person logs out, he is denied login access unless
>    I manually delete his cached credentials from /tmp.
>
>What is notable is that "telnet" to solaris 8 servers works
>just fine and has no such problems. 
>
>I saw that there was some discussion on this topic in the
>mailing list archives but no definite solution.
>
>Is this a problem with ssh server on Solaris 8 or a problem
>with kerberos on Solaris 8 or what is it ?

Okay, I'm going to go out on a limb here and hope that
you are running OpenSSH on Solaris 8.  This sounds exactly
like the problem that I had when authenticating SSH with PAM.

Jason Heiss posted a solution in this group on the thread
"kerberos, ssh, and solaris8" in May, short version is that
OpenSSH makes a call to a broken mechanism in PAM, causing
the credential-writing process to fail midway through login.

Candice
-- 
candice at sect232.org