Solaris ssh pam_krb
Douglas E. Engert
deengert at anl.gov
Wed Mar 29 11:02:54 EST 2006
Casper H.S. Dik wrote:
> deengert at anl.gov ("Douglas E. Engert") writes:
>
>
>
>>On Solaris 10, the Solaris ssh and sshd work pretty well with the Solaris 10
>>Kerberos. We can even get them to get AFS tokens.
>
>
>>Solaris 9 is a different story. We use The MIT Kerberos and OpenSSH.
>
>
> I believe most of Solaris 10 SSH is now backported to Solaris 9, so
> you could give that a try. (patch 113273-11 for SPARC)
Thanks for the info. OpenSSH and MIT Kerberos are working fine on Solaris 9.
But On Solaris 10 we wanted to the Solaris versions, and so far we have
gotten along, except for the problems of session based credentials. where
each session has its own ticket cache pointed at by the KRB5CCNAME
We can get sshd to do this, but none of the other programs. So we
have to live with the default uid based cache. i.e.
/tmp/krb5cc_<uid> shared by all the sessions of the same user.
If you really wanted to get this to work better, add a parameter
on to your pam_krb5 to support this, and have it set the KRB5CCNAME.
Another problem is that only the gssapi is exposed, and not the underlying
Krb5 API. We do have a few programs that need this but most are still
on Solaris 9 and we have been able to use the Opensolaris krb5 header
files from ./usr/src/uts/common/gssapi/mechs/krb5/include
and link against the /usr/lib/gss/mech_krb5.so
Please expose the Krb5 API.
>
> Casper
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list