OpenSSH with Wilkinson patch on Mac OS X 10.2

Steven Michaud smichaud at
Sun Sep 29 17:48:00 EDT 2002

By bootstrap server do you mean the sshd child process that runs as
the client and handles terminal emulation on the server side?  If so,
you're right.

I think I've now got everything working.  I discovered that I could
get the server-side MIT libraries to create an API-style ticket cache
in the client's context if I made the appropriate calls from this
child process, after the "real user" id and group had already been
irrevocably set to the client's id and group (using setuid() and
setgid() instead of seteuid() and setegid()).  (I'm calling
ssh_gssapi_storecreds() from do_child() in session.c.)  Ordinarily the
calls to create the ticket cache are made much earlier -- as best I
can tell even before the chrooted "privilege separation daemon" gets

The API-style caching still doesn't work if you set UseLogin to "yes"
in your sshd_config file ... but I suspect most people don't do this.

With a bit more hacking (by storing information in the parent that
ends up being used in the child), I've even gotten an API-style ticket
cache to appear when the client sends his/her "Kerberos password" over
the SSH pipe to the server.

After I've banged on it a bit longer, I'll post my patch to this list.
Simon Wilkinson will, of course, be quite welcome to include it in his
own patch.

By the way, do you think that seteuid() and setegid() are misbehaving
on OS X?  Would I have had to go to the same lengths on a different

On Sun, 29 Sep 2002, Sam Hartman wrote:

> When does sshd create a new bootstrap server?  It seems likely that it
> is doing so too late for the credentials cache server to associate
> with the user.

More information about the krbdev mailing list