Another comment, if the problem is the Solaris 10 sshd is not saving the forwarded credentials, it could be the pam.conf is not configured correctly. sshd calls pam with a number of different services names, including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these is not found, other is used by pam :-( The man pages are not consistent on the names actually used. You have to read the pam_krb5 and sshd pages to figure this out.
The sshd does not set the KRB5CCNAME correctly either. We do this with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID) to get session based credentials if possible. Works from sshd-gssapi, but not from dtlogin where we are stuck with user basede credentials. Sun needs to get their act together on this too. But I would rather live with this then to have to build OpenSSH and MIT Kerberos when Sun is so close. Erich Weiler wrote: >>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and >>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple >>authz function or a way to save the delegated creds. >> >>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that >>approach too, then it would not need Kerberos specific code either. > > > The main reason I need to compile OpenSSH with krb5 is because the way I > have it working currently, OpenSSH using PAM, does not does _forward_ > krb5 creds when SSHing to another machine. I have seen OpenSSH using > GSS-API auth forward creds successfully, but not using Solaris PAM... > Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM? > > -erich > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
