Openssh, kerberos and Solaris 10 - Kerberos
This is a discussion on Openssh, kerberos and Solaris 10 - Kerberos ; On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert"
wrote:
>> __gss_userok() is not; should it be?
>
> I would say yes. Every service needs to do this, and use the GSS creds
> to test if ...
-
Re: Openssh, kerberos and Solaris 10
On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert"
wrote:
>> __gss_userok() is not; should it be?
>
> I would say yes. Every service needs to do this, and use the GSS creds
> to test if it can use the local resource. So it in that regards it is
> generic.
Actually, many services don't need to do this. An SSH server may want a
machenism-independent "userok" API to determine whether to allow access to
a local account, but lots of services have nothing to do with local
accounts.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
-
Re: Openssh, kerberos and Solaris 10
On Wed, Aug 09, 2006 at 11:08:11AM -0500, Douglas E. Engert wrote:
> Another comment, if the problem is the Solaris 10 sshd is not saving
> the forwarded credentials, it could be the pam.conf is not configured
> correctly. sshd calls pam with a number of different services names,
> including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
> is not found, other is used by pam :-(
sshd does not interact with PAM when storing the krb cred when doing
gssapi-* auth. You may be seeing bug:
6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds
This is fixed in opensolaris/Nevada but I don't think it has been
backported to S10 yet.
> The man pages are not consistent on the names actually used. You have
> to read the pam_krb5 and sshd pages to figure this out.
Please send an example of the man page inconsistencies as we'll log a
bug if there's a problem.
> The sshd does not set the KRB5CCNAME correctly either. We do this
> with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
> to get session based credentials if possible. Works from sshd-gssapi,
> but not from dtlogin where we are stuck with user basede credentials.
>
> Sun needs to get their act together on this too. But I would
> rather live with this then to have to build OpenSSH and MIT Kerberos
> when Sun is so close.
Yes, we are aware and have been thinking about this for a while. To fix
this properly in Solaris is non-trivial and there is much on our plates
so it remains an issue. More on this later...
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
-
Re: Openssh, kerberos and Solaris 10
>> libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
>> Does anyone have any hints on this, or has anyone ever done it? Or
>> maybe a better place to post?
>
> The Kerberos API was private in Solaris for a long time because there
> were concerns about stability of the interface. Use of the GSS-API (man
> libgss) was encouraged because this was deemed more stabled and was
> described in standards docs. Things have changed and I believe Sun will
> be making the Kerberos lib API public in an upcoming Solaris 10 update.
That's right, it's slated for an Solaris 10 update release. And note
it's in Solaris Express and OpenSolaris now. See libkrb5(3LIB) and
krb5-config(1) in the latest Solaris Express and on opensolaris.org, I
don't see the man pages but here's the putback msg:
http://www.opensolaris.org/jive/thre...D=48170밪
If you use it and have issues, drop me a line.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
