Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at
Wed Aug 9 10:36:50 EDT 2006

Erich Weiler wrote:
> Hi all-
> I'm not sure this is the correct place to post about this but I'm 
> getting no response over an, if there is a more appropriate 
> place to post please let me know...  And the people at Sun scream at me 
> for even considering openssh when they supply their own version of SSH 
> which I'm not extremely fond of.
> Basically I'd like to compile OpenSSH with Kerberos support on Solaris 
> 10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works 
> great, no problem there.  My problem is:  Does anyone know how to 
> compile openssh on Solaris with native SEAM kerberos support? 

Yes and no. You can use the OpenSolaris header files and SEAM library
or, as Will pointed out, you can wait for Sun to release the API.

See the note below to this list from last year. There is no guarantee
that this will work, or that the OpenSolaris header files still match
what is in Solaris 10. But it is a start.

You will need something like
LDFLAGS="/usr/lib/gss/  -Wl,-R,/usr/lib/gss "

I also copied the MIT com_err.h and profile.h from MIT to /krb5/include.

We use this with CVS, POP and OpenAFS aklog to get Kerberos support.

And we too are waiting for Sun to release a supported API with Solaris 10.

> There is 
> a --with-kerberos=/dir compile time option with openssh but Sun doesn't 
> seem the have a single "directory" that they keep their kerberos 
> libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?

Yes they gave a nice gssapi and we use that if possible.

>   Does anyone have any hints on this, or has anyone ever done it?  Or 
> maybe a better place to post?
> ciao, erich
> ________________________________________________
> Kerberos mailing list           Kerberos at
-------- Original Message --------
Subject: Using Solaris 10 built in Kerberos support with Kerberos application
Date: Tue, 23 Aug 2005 14:20:21 -0500
From: Douglas E. Engert <deengert at>
To: 'kerberos at' <kerberos at>

In an attempt to use vendor provided Kerberos support where possible, we have
been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5
and ssh or any application that uses Kerberos via GSSAPI.

But we have a number of other Kerberos applications, including qpop for Kerberized
pop service, aklog with OpenAFS and kerberized CVS.

The problem is that Solaris only exposes Kerberos via GSSAPI, and does not
provide the krb5.h files or the normal Kerberos libraries.

*What I would like to ask SUN is to include the krb5.h and its friends with the
Solaris 10 base system.*

To get around this,
has a krb5.h that appears to match the /usr/lib/gss/ that comes
with Solaris 10.  (I actually downloaded the tarfile to get the header files.)

I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run
using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h.

Some problems along the way:

   o has most of the Kerberos routines and can be used as a shared
     library, but is clumsy to link as its not a "libxxx"

   o The opensolaris krb5.h is not guaranteed to match the

   o The krb5.h refers to profile.h  which is not supplied.

   o Many of the Kerberos applications also use com_err.h which is not supplied.

   o There is no com_err add_error_table.

   o Solaris does not have krb524. So aklog can not use this feature.

But so far it still looks promising to use the Solaris 10 Kerberos and we
are expecting that Sun will continue to improve the usability of their
Kerberos support.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list