Openssh, kerberos and Solaris 10

Nicolas Williams Nicolas.Williams at
Wed Aug 9 13:07:13 EDT 2006

On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
> Markus Moeller wrote:
> > There shouldn't be the need of compiling openssh with Kerberos as the 
> > Solaris 10 version supports GSSAPI authentication.
> Yes and no. Until you want to store the delegated credential or do a
> krb5_userok test.

Solaris' sshd does this using __gss_userok() and gss_store_cred().

> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
> authz function or a way to save the delegated creds.
> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
> approach too, then it would not need Kerberos specific code either.

No, Solaris 10's sshd does not use PAM to do these two tasks.
OpenSolaris' sshd will, however, soon enough.


More information about the Kerberos mailing list