Solaris 10 sshd + GSSAPI = where's my cred cache?
Jeff Blaine
jblaine at kickflop.net
Thu Nov 1 16:31:39 EDT 2007
Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> I apologize for the general nature of this post. Maybe it's
>> better posted to the secureshell list which is loaded with
>> spam and is often choked up sitting on some server somewhere,
>> but...
>>
>> I can ssh with GSSAPI auth to a Solaris 10 box fine. When
>> I'm in though, klist says I have no credential cache and
>> there's nothing useful in /tmp.
>
> What does your /etc/pam.conf look like?
I was using the sshd non-PAM GSSAPIAuthentication (enabled
by default).
> We force ssh via PAM to be a session based cred, and get AFS token too:
>
> # Used by GSS, but ssh has bug about saving creds, so we use session
> based creds.
That kind of explains things then. I guess it's a bug, eh?
PAM works better for us anyway, I was just thinking I might
have poor luck with it and ticket forwarding.
I'll give it a shot.
> sshd-gssapi account requisite pam_roles.so.1
> sshd-gssapi account required pam_unix_account.so.1
> sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1
> ccache=/tmp/krb5cc_%u_%p
>
> sshd-gssapi session required pam_unix_session.so.1
> sshd-gssapi session required /krb5/lib/pam_afs2.so.1
> sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen
I'll
> See:
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
>
>>
>> Has anyone come across this and found an answer?
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
More information about the Kerberos
mailing list