Solaris 10 sshd + GSSAPI = where's my cred cache?

[Nicolas Williams]

On Thu, Nov 01, 2007 at 04:31:39PM -0400, Jeff Blaine wrote:
> Douglas E. Engert wrote:
> > Jeff Blaine wrote:
> >> I apologize for the general nature of this post.  Maybe it's
> >> better posted to the secureshell list which is loaded with
> >> spam and is often choked up sitting on some server somewhere,
> >> but...
> >>
> >> I can ssh with GSSAPI auth to a Solaris 10 box fine.  When
> >> I'm in though, klist says I have no credential cache and
> >> there's nothing useful in /tmp.
> > 
> > What does your /etc/pam.conf look like?

Doug, that should have little or nothing to do with this in S10.

> I was using the sshd non-PAM GSSAPIAuthentication (enabled
> by default).

OK, really specific instructions:

1) On the server make sure that you are not setting the following
   sshd_config(4) parameters or that you set them as follows:

# One or both of GSSAPIAuthentication and GSSAPIKeyExchange must be on
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIStoreDelegatedCredentials yes

   Restart the ssh service if you had to change this.

2) On the client side make sure that you have credentials to delegate
   (klist -f should show a forwardable TGT in your ccache).

3) On the client make sure that you're not disabling the relevant
   ssh_config(4) parameters in /etc/ssh/ssh_config or in ~/.ssh/config,
   particularly GSSAPIDelegateCredentials.

To debug this try running ssh -vvv.  If that does not produce enough
information then try running sshd in dbug mode as well:

# /usr/lib/ssh/sshd -dddp 2222
...

% ssh -p 2222 ...
...

Capture the output and send it to me.

> > We force ssh via PAM to be a session based cred, and get AFS token too:
> > 
> > # Used by GSS, but ssh has bug about saving creds, so we use session 
> > based creds.
> 
> That kind of explains things then.  I guess it's a bug, eh?

It's not.  Doug is doing something that is very specific to his site.

Nico
--