Openssh, kerberos and Solaris 10

Jeffrey Hutzelman jhutz at
Wed Aug 9 15:12:35 EDT 2006

On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams 
<Nicolas.Williams at> wrote:

> On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
>> I am getting credentials through PAM.  That much is working.  My
>> problem, very specifically, is that:
>> 1: I want SSH to automatically forward my krb5 credentials when I SSH
>> into another machine using public keys.
> This makes no sense.  Why use public key authentication when you have
> Kerberos V?

I can see reasons why you might want to do that.  For example, your 
Kerberos credentials might not be sufficient to allow access to the remove 
machine.  However, that's beside the point.  You can't do this, no matter 
what implementation you use, because there is no provision in the SSH 
protocol to allow this -- delegation of GSS-API credentials requires the 
use of GSS-API key exchange or user authentication using the credentials 
you wish to delegate.  From a protocol standpoint, either is sufficient, 
though some implementations may not support credential delegation with 
GSS-API key exchange (stock OpenSSH doesn't support GSS-API key exchange at 
all, but the sun one does).

>> 2: I don't want to use Sun SSH; I would rather use OpenSSH.  The reasons
>> for this are not applicable to this discussion.
> I thought they were.  You seemed to think that SUNWssh didn't support
> something that it does support.

I have to agree with Nico here.  You've said that the reason you want to 
build OpenSSH instead of using Sun's version is to get credential 
delegation.  Sun's SSH does this, and in fact has better support overall 
for both GSS-API and PAM than does OpenSSH.

-- Jeff

More information about the Kerberos mailing list