cross-realm logins with ssh & pam_krb5

Douglas E. Engert deengert at anl.gov
Fri Jan 28 14:44:35 EST 2005



Troy Benjegerdes wrote:
> On Fri, Jan 28, 2005 at 11:06:28AM -0600, Douglas E. Engert wrote:
> 
>>
>>Troy Benjegerdes wrote:
>>
>>

> 
> 
> So, does the current openssh-3.8 work right with pam and/or afs with
> privledge separation turned on? My other wishlist item for ssh is
> support for changing expired kerberos passwords.. has anyone gotten this
> working?

3.8 takes to many mods, including Simon's gssapi mods and yes it can work
with priv sep.

3.9 has the gssapi mods, and only requires 2 mods, both reported, #922 is fixed,
and #918 is still listed as new.

But we are using our own krb5_pam routines which forces the ticket cache to
be written at the end of the pam_sm_authenticate rather then waiting
for the pam_sm_setcreds.

Not sure about the password changing as we have other means to change passwords.

> 
> Are there any other SSH implementations that have GSSAPI support?

On the PC SecureCRT and Kermit both have gssapi support which can work
with Kerberos for Windows. SecureCRT can even use the Microsoft SSPI directly.
Gssapi mods are available for PuTTY, and some packages like WinCVS have
a modified PuTTY with gssapi, that all work with OpenSSH.

Putty mods:          http://www.sweb.cz/v_t_m/#putty
Other PuTTY version: http://www.certifiedsecuritysolutions.com/downloads.html
SecureCRT clients
  and  unix servers:  http://www.vandyke.com
Kermit:              http://www.columbia.edu/kermit/sshclient.html

Try google for      ssh gssapi

If you are interested in patches to 3.9, drop me a note or see the
OpenSSH bugzilla #918 and #922.




-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list