Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at
Wed Aug 9 10:52:51 EDT 2006

Markus Moeller wrote:

> There shouldn't be the need of compiling openssh with Kerberos as the 
> Solaris 10 version supports GSSAPI authentication.

Yes and no. Until you want to store the delegated credential or do a
krb5_userok test.

With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
authz function or a way to save the delegated creds.

Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
approach too, then it would not need Kerberos specific code either.

> Markus
> "Erich Weiler" <weiler at> wrote in message 
> news:44D922FA.1030509 at
>>Hi all-
>>I'm not sure this is the correct place to post about this but I'm
>>getting no response over an, if there is a more appropriate
>>place to post please let me know...  And the people at Sun scream at me
>>for even considering openssh when they supply their own version of SSH
>>which I'm not extremely fond of.
>>Basically I'd like to compile OpenSSH with Kerberos support on Solaris
>>10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works
>>great, no problem there.  My problem is:  Does anyone know how to
>>compile openssh on Solaris with native SEAM kerberos support?  There is
>>a --with-kerberos=/dir compile time option with openssh but Sun doesn't
>>seem the have a single "directory" that they keep their kerberos
>>libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?
>> Does anyone have any hints on this, or has anyone ever done it?  Or
>>maybe a better place to post?
>>ciao, erich
>>Kerberos mailing list           Kerberos at
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list