Openssh, kerberos and Solaris 10
Douglas E. Engert
deengert at anl.gov
Wed Aug 9 15:26:57 EDT 2006
Nicolas Williams wrote:
> On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
>
>>Markus Moeller wrote:
>>
>>>There shouldn't be the need of compiling openssh with Kerberos as the
>>>Solaris 10 version supports GSSAPI authentication.
>>
>>Yes and no. Until you want to store the delegated credential or do a
>>krb5_userok test.
>
>
> Solaris' sshd does this using __gss_userok() and gss_store_cred().
Good, and that was what I was trying to the kerberos working group
interested in before Kitten was started.
>
>
>>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>>authz function or a way to save the delegated creds.
>>
>>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>>approach too, then it would not need Kerberos specific code either.
>
>
> No, Solaris 10's sshd does not use PAM to do these two tasks.
> OpenSolaris' sshd will, however, soon enough.
>
> Nico
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list