Openssh, kerberos and Solaris 10
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Aug 9 17:56:49 EDT 2006
On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert"
<deengert at anl.gov> wrote:
>> __gss_userok() is not; should it be?
>
> I would say yes. Every service needs to do this, and use the GSS creds
> to test if it can use the local resource. So it in that regards it is
> generic.
Actually, many services don't need to do this. An SSH server may want a
machenism-independent "userok" API to determine whether to allow access to
a local account, but lots of services have nothing to do with local
accounts.
More information about the Kerberos
mailing list