Openssh, kerberos and Solaris 10
William.Fiveash at sun.com
Thu Aug 10 15:05:43 EDT 2006
On Wed, Aug 09, 2006 at 11:08:11AM -0500, Douglas E. Engert wrote:
> Another comment, if the problem is the Solaris 10 sshd is not saving
> the forwarded credentials, it could be the pam.conf is not configured
> correctly. sshd calls pam with a number of different services names,
> including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
> is not found, other is used by pam :-(
sshd does not interact with PAM when storing the krb cred when doing
gssapi-* auth. You may be seeing bug:
6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds
This is fixed in opensolaris/Nevada but I don't think it has been
backported to S10 yet.
> The man pages are not consistent on the names actually used. You have
> to read the pam_krb5 and sshd pages to figure this out.
Please send an example of the man page inconsistencies as we'll log a
bug if there's a problem.
> The sshd does not set the KRB5CCNAME correctly either. We do this
> with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
> to get session based credentials if possible. Works from sshd-gssapi,
> but not from dtlogin where we are stuck with user basede credentials.
> Sun needs to get their act together on this too. But I would
> rather live with this then to have to build OpenSSH and MIT Kerberos
> when Sun is so close.
Yes, we are aware and have been thinking about this for a while. To fix
this properly in Solaris is non-trivial and there is much on our plates
so it remains an issue. More on this later...
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos