Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at
Wed Aug 9 11:57:08 EDT 2006

Erich Weiler wrote:

>> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>> authz function or a way to save the delegated creds.
>> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>> approach too, then it would not need Kerberos specific code either.
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine. 

You don't want it to forward?  or you do.
The Solaris 10 ssh_config GSSAPIDelegateCredentials option could be set
to not forward them.

If you do, could it be that the dtlogin is not getting forwardabel tickets?
What doe klist -f show?

Solaris looks a the krb5.conf file  at little differently
then MIT. dtlogin and pam_krb5 looks for forwardable = 1 in the [libdefault]
or [appdefault] sections. see the man pags.

> I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris 
> PAM?
> -erich


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list