Openssh, kerberos and Solaris 10
Douglas E. Engert
deengert at anl.gov
Wed Aug 9 15:55:05 EDT 2006
Nicolas Williams wrote:
> On Wed, Aug 09, 2006 at 02:26:57PM -0500, Douglas E. Engert wrote:
>
>>
>>Nicolas Williams wrote:
>>
>>
>>>On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
>>>
>>>
>>>>Markus Moeller wrote:
>>>>
>>>>
>>>>>There shouldn't be the need of compiling openssh with Kerberos as the
>>>>>Solaris 10 version supports GSSAPI authentication.
>>>>
>>>>Yes and no. Until you want to store the delegated credential or do a
>>>>krb5_userok test.
>>>
>>>
>>>Solaris' sshd does this using __gss_userok() and gss_store_cred().
>>
>>Good, and that was what I was trying to the kerberos working group
>>interested in before Kitten was started.
>
>
> gss_store_cred() is a KITTEN WG work item.
>
> __gss_userok() is not; should it be?
I would say yes. Every service needs to do this, and use the GSS creds
to test if it can use the local resource. So it in that regards it is
generic.
It depends on a notion of "user
> account," and so it's rather not so generic. But we could have an
> individual submission draft targetting Informational status for
> "gss_userok()"... Comments?
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list