Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at anl.gov
Wed Aug 9 12:08:11 EDT 2006


Another comment, if the problem is the Solaris 10 sshd is not saving
the forwarded credentials, it could be the pam.conf is not configured
correctly.  sshd calls pam with a number of different services names,
including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
is not found, other is used by pam :-( The man pages are not consistent
on the names actually used. You have to read the pam_krb5 and sshd pages
to figure this out.

The sshd does not set the KRB5CCNAME correctly either. We do this
with  pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p  (user and PID)
to get session based credentials if possible. Works from sshd-gssapi,
but not from dtlogin where we are stuck with user basede credentials.


Sun needs to get their act together on this too. But I would
rather live with this then to have to build OpenSSH and MIT Kerberos
when Sun is so close.

Erich Weiler wrote:

>>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>>authz function or a way to save the delegated creds.
>>
>>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>>approach too, then it would not need Kerberos specific code either.
> 
> 
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine.  I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?
> 
> -erich
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list