Openssh, kerberos and Solaris 10 - Kerberos

This is a discussion on Openssh, kerberos and Solaris 10 - Kerberos ; On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert" wrote: >> __gss_userok() is not; should it be? > > I would say yes. Every service needs to do this, and use the GSS creds > to test if ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 23 of 23

Thread: Openssh, kerberos and Solaris 10

  1. Re: Openssh, kerberos and Solaris 10



    On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert"
    wrote:

    >> __gss_userok() is not; should it be?

    >
    > I would say yes. Every service needs to do this, and use the GSS creds
    > to test if it can use the local resource. So it in that regards it is
    > generic.


    Actually, many services don't need to do this. An SSH server may want a
    machenism-independent "userok" API to determine whether to allow access to
    a local account, but lots of services have nothing to do with local
    accounts.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 11:08:11AM -0500, Douglas E. Engert wrote:
    > Another comment, if the problem is the Solaris 10 sshd is not saving
    > the forwarded credentials, it could be the pam.conf is not configured
    > correctly. sshd calls pam with a number of different services names,
    > including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
    > is not found, other is used by pam :-(


    sshd does not interact with PAM when storing the krb cred when doing
    gssapi-* auth. You may be seeing bug:

    6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds

    This is fixed in opensolaris/Nevada but I don't think it has been
    backported to S10 yet.

    > The man pages are not consistent on the names actually used. You have
    > to read the pam_krb5 and sshd pages to figure this out.


    Please send an example of the man page inconsistencies as we'll log a
    bug if there's a problem.

    > The sshd does not set the KRB5CCNAME correctly either. We do this
    > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
    > to get session based credentials if possible. Works from sshd-gssapi,
    > but not from dtlogin where we are stuck with user basede credentials.
    >
    > Sun needs to get their act together on this too. But I would
    > rather live with this then to have to build OpenSSH and MIT Kerberos
    > when Sun is so close.


    Yes, we are aware and have been thinking about this for a while. To fix
    this properly in Solaris is non-trivial and there is much on our plates
    so it remains an issue. More on this later...

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Openssh, kerberos and Solaris 10


    >> libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    >> Does anyone have any hints on this, or has anyone ever done it? Or
    >> maybe a better place to post?

    >
    > The Kerberos API was private in Solaris for a long time because there
    > were concerns about stability of the interface. Use of the GSS-API (man
    > libgss) was encouraged because this was deemed more stabled and was
    > described in standards docs. Things have changed and I believe Sun will
    > be making the Kerberos lib API public in an upcoming Solaris 10 update.


    That's right, it's slated for an Solaris 10 update release. And note
    it's in Solaris Express and OpenSolaris now. See libkrb5(3LIB) and
    krb5-config(1) in the latest Solaris Express and on opensolaris.org, I
    don't see the man pages but here's the putback msg:

    http://www.opensolaris.org/jive/thre...D=48170&#48170

    If you use it and have issues, drop me a line.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2