Openssh, kerberos and Solaris 10

Douglas E. Engert deengert at anl.gov
Wed Aug 9 15:26:57 EDT 2006



Nicolas Williams wrote:

> On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
> 
>>Markus Moeller wrote:
>>
>>>There shouldn't be the need of compiling openssh with Kerberos as the 
>>>Solaris 10 version supports GSSAPI authentication.
>>
>>Yes and no. Until you want to store the delegated credential or do a
>>krb5_userok test.
> 
> 
> Solaris' sshd does this using __gss_userok() and gss_store_cred().

Good, and that was what I was trying to the kerberos working group
interested in before Kitten was started.

> 
> 
>>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>>authz function or a way to save the delegated creds.
>>
>>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>>approach too, then it would not need Kerberos specific code either.
> 
> 
> No, Solaris 10's sshd does not use PAM to do these two tasks.
> OpenSolaris' sshd will, however, soon enough.
> 
> Nico

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list