Openssh, kerberos and Solaris 10
Douglas E. Engert
deengert at anl.gov
Wed Aug 9 11:57:08 EDT 2006
Erich Weiler wrote:
>> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>> authz function or a way to save the delegated creds.
>> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>> approach too, then it would not need Kerberos specific code either.
> The main reason I need to compile OpenSSH with krb5 is because the way I
> have it working currently, OpenSSH using PAM, does not does _forward_
> krb5 creds when SSHing to another machine.
You don't want it to forward? or you do.
The Solaris 10 ssh_config GSSAPIDelegateCredentials option could be set
to not forward them.
If you do, could it be that the dtlogin is not getting forwardabel tickets?
What doe klist -f show?
Solaris looks a the krb5.conf file at little differently
then MIT. dtlogin and pam_krb5 looks for forwardable = 1 in the [libdefault]
or [appdefault] sections. see the man pags.
> I have seen OpenSSH using
> GSS-API auth forward creds successfully, but not using Solaris PAM...
> Unless someone knows of a way I can forward kerberos TGTs using Solaris
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos