OpenSSH with Wilkinson patch on Mac OS X 10.2

Steven Michaud smichaud at
Sat Sep 28 18:31:01 EDT 2002

I've been trying to port OpenSSH (3.4p1) with Simon Wilkinson's patch
to Mac OS X 10.2, using the MIT Kerberos libraries that come with OS X
10.2 (plus the 10.2 Kerberos Extras).  I've got almost everything
working ... but I can't manage to get sshd running on OS X to make use
of forwarded credentials.

The problem seems to be that no matter what I do, the (API-style)
credentials cache always gets created in the context of the root user
(the user that the main sshd is running as), which makes it invisible
to the child process that's actually doing the terminal emulation.

A file-based credential cache, created at exactly the same place in
the source code (using the Heimdal libraries), has the correct
ownership and works just fine.  (So temporarily_use_uid() in uidswap.c
is working correctly.)  I get the same results whether or not I use
privilege separation (using the UsePrivilegeSeparation switch in

The code being exercised is in ssh_gssapi_krb5_storecreds() in
gss-serv.c.  I've changed it to create an API-style cache instead of a
file-based one.  I've tried using the CCAPI to create the cache -- no
luck.  It doesn't matter what name I give the cache (though I've
mostly been using the default name, "API:Initial default ccache").
I don't see any error messages.  I've added extra debug() statements
to confirm that the code is really being executed.

I can even confirm that an API-based ticket cache is actually being
created:  I run my altered sshd with a debug flag (sshd -d), after
having su-ed to root in a Terminal console.  In this mode sshd will
accept one connection and then die (it also logs to the console
instead of to syslog).  The single connection works fine (except for
the client not being able to see or use the credentials it forwarded),
and sshd dies when the client logs out.  Then, still logged in as root
in my Terminal console on the server, I can run klist and see my
API-based credentials cache, with the client's TGT in it.  (Though I
can't see it if I su to root in any other Terminal session.  And if I
"exit" and su back to root, it's gone.)

Is what I'm trying to do impossible?  Can anyone think of a way to
make it work?  Would a design change in the Mac OS X Kerberos
libraries be required?

More information about the krbdev mailing list