Solaris ssh pam_krb

Douglas E. Engert deengert at
Wed Mar 29 11:02:54 EST 2006

Casper H.S. Dik wrote:

> deengert at ("Douglas E. Engert") writes:
>>On Solaris 10, the Solaris ssh and sshd work pretty well with the Solaris 10
>>Kerberos. We can even get them to get AFS tokens.
>>Solaris 9 is a different story. We use The MIT Kerberos and OpenSSH.
> I believe most of Solaris 10 SSH is now backported to Solaris 9, so
> you could give that a try. (patch 113273-11 for SPARC)

Thanks for the info. OpenSSH and MIT Kerberos are working fine on Solaris 9.

But On Solaris 10 we wanted to the Solaris versions, and so far we have
gotten along, except for the problems of session based credentials. where
each session has its own ticket cache pointed at by the KRB5CCNAME

We can get sshd to do this, but none of the other programs. So we
have to live with the default uid based cache.  i.e.
/tmp/krb5cc_<uid> shared by all the sessions of the same user.

If you really wanted to get this to work better, add a parameter
on to your pam_krb5 to support this, and have it set the KRB5CCNAME.

Another problem is that only the gssapi is exposed, and not the underlying
Krb5 API. We do have a few programs that need this but most are still
on Solaris 9 and we have been able to use the Opensolaris krb5 header
files from ./usr/src/uts/common/gssapi/mechs/krb5/include
and link against the /usr/lib/gss/

Please expose the Krb5 API.

> Casper


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list