On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams <[EMAIL PROTECTED]> wrote:
> On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote: >> I am getting credentials through PAM. That much is working. My >> problem, very specifically, is that: >> >> 1: I want SSH to automatically forward my krb5 credentials when I SSH >> into another machine using public keys. > > This makes no sense. Why use public key authentication when you have > Kerberos V? I can see reasons why you might want to do that. For example, your Kerberos credentials might not be sufficient to allow access to the remove machine. However, that's beside the point. You can't do this, no matter what implementation you use, because there is no provision in the SSH protocol to allow this -- delegation of GSS-API credentials requires the use of GSS-API key exchange or user authentication using the credentials you wish to delegate. From a protocol standpoint, either is sufficient, though some implementations may not support credential delegation with GSS-API key exchange (stock OpenSSH doesn't support GSS-API key exchange at all, but the sun one does). >> 2: I don't want to use Sun SSH; I would rather use OpenSSH. The reasons >> for this are not applicable to this discussion. > > I thought they were. You seemed to think that SUNWssh didn't support > something that it does support. I have to agree with Nico here. You've said that the reason you want to build OpenSSH instead of using Sun's version is to get credential delegation. Sun's SSH does this, and in fact has better support overall for both GSS-API and PAM than does OpenSSH. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos