Solaris 10 sshd + GSSAPI = where's my cred cache?
Douglas E. Engert
deengert at anl.gov
Thu Nov 1 15:53:41 EDT 2007
Jeff Blaine wrote:
> I apologize for the general nature of this post. Maybe it's
> better posted to the secureshell list which is loaded with
> spam and is often choked up sitting on some server somewhere,
> but...
>
> I can ssh with GSSAPI auth to a Solaris 10 box fine. When
> I'm in though, klist says I have no credential cache and
> there's nothing useful in /tmp.
What does your /etc/pam.conf look like?
We force ssh via PAM to be a session based cred, and get AFS token too:
# Used by GSS, but ssh has bug about saving creds, so we use session based creds.
sshd-gssapi account requisite pam_roles.so.1
sshd-gssapi account required pam_unix_account.so.1
sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p
sshd-gssapi session required pam_unix_session.so.1
sshd-gssapi session required /krb5/lib/pam_afs2.so.1
sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen
See:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
>
> Has anyone come across this and found an answer?
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list