Openssh, kerberos and Solaris 10

[Will Fiveash]

On Wed, Aug 09, 2006 at 11:08:11AM -0500, Douglas E. Engert wrote:
> Another comment, if the problem is the Solaris 10 sshd is not saving
> the forwarded credentials, it could be the pam.conf is not configured
> correctly.  sshd calls pam with a number of different services names,
> including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
> is not found, other is used by pam :-(

sshd does not interact with PAM when storing the krb cred when doing
gssapi-* auth.  You may be seeing bug:

6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds

This is fixed in opensolaris/Nevada but I don't think it has been
backported to S10 yet.  

> The man pages are not consistent on the names actually used. You have
> to read the pam_krb5 and sshd pages to figure this out.

Please send an example of the man page inconsistencies as we'll log a
bug if there's a problem.

> The sshd does not set the KRB5CCNAME correctly either. We do this
> with  pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p  (user and PID)
> to get session based credentials if possible. Works from sshd-gssapi,
> but not from dtlogin where we are stuck with user basede credentials.
>
> Sun needs to get their act together on this too. But I would
> rather live with this then to have to build OpenSSH and MIT Kerberos
> when Sun is so close.

Yes, we are aware and have been thinking about this for a while.  To fix
this properly in Solaris is non-trivial and there is much on our plates
so it remains an issue.  More on this later...

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)