Solaris 10 sshd + GSSAPI = where's my cred cache?
Douglas E. Engert
deengert at anl.gov
Thu Nov 1 17:11:06 EDT 2007
Nicolas Williams wrote:
>
> # One or both of GSSAPIAuthentication and GSSAPIKeyExchange must be on
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
> GSSAPIStoreDelegatedCredentials yes
>
The defaults for all of these is yes, we did not have to change the
the /etc/ssh/sshd_config.
> Restart the ssh service if you had to change this.
>
> 2) On the client side make sure that you have credentials to delegate
> (klist -f should show a forwardable TGT in your ccache).
>
Yes.
> 3) On the client make sure that you're not disabling the relevant
> ssh_config(4) parameters in /etc/ssh/ssh_config or in ~/.ssh/config,
> particularly GSSAPIDelegateCredentials.
>
yes.
> To debug this try running ssh -vvv. If that does not produce enough
> information then try running sshd in dbug mode as well:
>
> # /usr/lib/ssh/sshd -dddp 2222
> ...
>
> % ssh -p 2222 ...
> ...
>
> Capture the output and send it to me.
>
>>> We force ssh via PAM to be a session based cred, and get AFS token too:
>>>
>>> # Used by GSS, but ssh has bug about saving creds, so we use session
>>> based creds.
>> That kind of explains things then. I guess it's a bug, eh?
>
> It's not.
I disagree. Using a user based cache vs a session based cache can lead to
deleted tickets when a session ends, or user logs off the console. We also
saw that only the TGT would get updated, and not the other tickets
in the cache.
Doug is doing something that is very specific to his site.
Not really, Jeff Blaine is also on the AFS list, and I bet that where
he is heading is getting AFS tokens...
>
> Nico
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list