Openssh, kerberos and Solaris 10
Douglas E. Engert
deengert at anl.gov
Wed Aug 9 10:52:51 EDT 2006
Markus Moeller wrote:
> There shouldn't be the need of compiling openssh with Kerberos as the
> Solaris 10 version supports GSSAPI authentication.
Yes and no. Until you want to store the delegated credential or do a
With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
authz function or a way to save the delegated creds.
Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
approach too, then it would not need Kerberos specific code either.
> "Erich Weiler" <weiler at soe.ucsc.edu> wrote in message
> news:44D922FA.1030509 at soe.ucsc.edu...
>>I'm not sure this is the correct place to post about this but I'm
>>getting no response over an OpenSSH.org, if there is a more appropriate
>>place to post please let me know... And the people at Sun scream at me
>>for even considering openssh when they supply their own version of SSH
>>which I'm not extremely fond of.
>>Basically I'd like to compile OpenSSH with Kerberos support on Solaris
>>10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
>>great, no problem there. My problem is: Does anyone know how to
>>compile openssh on Solaris with native SEAM kerberos support? There is
>>a --with-kerberos=/dir compile time option with openssh but Sun doesn't
>>seem the have a single "directory" that they keep their kerberos
>>libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
>> Does anyone have any hints on this, or has anyone ever done it? Or
>>maybe a better place to post?
>>Kerberos mailing list Kerberos at mit.edu
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos