Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at anl.gov
Wed Aug 9 10:52:51 EDT 2006 


Markus Moeller wrote:

> There shouldn't be the need of compiling openssh with Kerberos as the 
> Solaris 10 version supports GSSAPI authentication.

Yes and no. Until you want to store the delegated credential or do a
krb5_userok test.

With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
authz function or a way to save the delegated creds.

Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
approach too, then it would not need Kerberos specific code either.


> 
> Markus
> 
> "Erich Weiler" <weiler at soe.ucsc.edu> wrote in message 
> news:44D922FA.1030509 at soe.ucsc.edu...
> 
>>Hi all-
>>
>>I'm not sure this is the correct place to post about this but I'm
>>getting no response over an OpenSSH.org, if there is a more appropriate
>>place to post please let me know...  And the people at Sun scream at me
>>for even considering openssh when they supply their own version of SSH
>>which I'm not extremely fond of.
>>
>>Basically I'd like to compile OpenSSH with Kerberos support on Solaris
>>10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works
>>great, no problem there.  My problem is:  Does anyone know how to
>>compile openssh on Solaris with native SEAM kerberos support?  There is
>>a --with-kerberos=/dir compile time option with openssh but Sun doesn't
>>seem the have a single "directory" that they keep their kerberos
>>libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?
>> Does anyone have any hints on this, or has anyone ever done it?  Or
>>maybe a better place to post?
>>
>>ciao, erich
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list