Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 08:24:22AM -0700, Erich Weiler wrote:
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine.  I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?

You fundamentally misunderstand how network authentication and
credential forwarding work.

PAM is orthogonal to your problem.

In order to use network authentication you first need credentials.  You
acquire these using kinit(1) or when you login first using a PAM-aware
login application whose PAM stack is configured to use pam_krb5(5).

(This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.)

Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate
options.  The server has to have acceptor credentials, i.e., a
host-based principal name for the service 'host' and valid keytab
entries for these.

(Again, something similar goes for NIS+/DH.)

The client and server should negotiate the use of network authentication
and the client should delegate credentials if a) you have forwardable
tickets, b) use the appropriate option.

PAM barely enters the picture on the server-side, and you should not be
prompted for any passwords.

So, what are you doing wrong?

Have you got a TGT on the client?  Is it forwardable?  See the kinit(1)
man page and post klist(1) (klist -fea) output.

Does your server have a keytab file?  klist -ke please.  Are those
keytab entries valid?  You can check this by doing something like:

# kinit -c /tmp/xyz123 -k host/<server.fqdn>
# klist -fea -c /tmp/xyz123
# kdestroy -c /tmp/xyz123

Now, if you address these issues and still have problems then ssh -vvv
and sshd -ddd output may be useful.

# /usr/lib/ssh/sshd -dddp 2222
...


% ssh -p 2222 ...
...

Cheers,

Nico
--