Openssh, kerberos and Solaris 10
jhutz at cmu.edu
Wed Aug 9 15:12:35 EDT 2006
On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
>> I am getting credentials through PAM. That much is working. My
>> problem, very specifically, is that:
>> 1: I want SSH to automatically forward my krb5 credentials when I SSH
>> into another machine using public keys.
> This makes no sense. Why use public key authentication when you have
> Kerberos V?
I can see reasons why you might want to do that. For example, your
Kerberos credentials might not be sufficient to allow access to the remove
machine. However, that's beside the point. You can't do this, no matter
what implementation you use, because there is no provision in the SSH
protocol to allow this -- delegation of GSS-API credentials requires the
use of GSS-API key exchange or user authentication using the credentials
you wish to delegate. From a protocol standpoint, either is sufficient,
though some implementations may not support credential delegation with
GSS-API key exchange (stock OpenSSH doesn't support GSS-API key exchange at
all, but the sun one does).
>> 2: I don't want to use Sun SSH; I would rather use OpenSSH. The reasons
>> for this are not applicable to this discussion.
> I thought they were. You seemed to think that SUNWssh didn't support
> something that it does support.
I have to agree with Nico here. You've said that the reason you want to
build OpenSSH instead of using Sun's version is to get credential
delegation. Sun's SSH does this, and in fact has better support overall
for both GSS-API and PAM than does OpenSSH.
More information about the Kerberos