Openssh, kerberos and Solaris 10 - Kerberos

This is a discussion on Openssh, kerberos and Solaris 10 - Kerberos ; Hi all- I'm not sure this is the correct place to post about this but I'm getting no response over an OpenSSH.org, if there is a more appropriate place to post please let me know... And the people at Sun ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 23

Thread: Openssh, kerberos and Solaris 10

  1. Openssh, kerberos and Solaris 10

    Hi all-

    I'm not sure this is the correct place to post about this but I'm
    getting no response over an OpenSSH.org, if there is a more appropriate
    place to post please let me know... And the people at Sun scream at me
    for even considering openssh when they supply their own version of SSH
    which I'm not extremely fond of.

    Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    great, no problem there. My problem is: Does anyone know how to
    compile openssh on Solaris with native SEAM kerberos support? There is
    a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    seem the have a single "directory" that they keep their kerberos
    libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    Does anyone have any hints on this, or has anyone ever done it? Or
    maybe a better place to post?

    ciao, erich
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Openssh, kerberos and Solaris 10

    On Tue, Aug 08, 2006 at 04:49:14PM -0700, Erich Weiler wrote:
    > Hi all-
    >
    > I'm not sure this is the correct place to post about this but I'm
    > getting no response over an OpenSSH.org, if there is a more appropriate
    > place to post please let me know... And the people at Sun scream at me
    > for even considering openssh when they supply their own version of SSH
    > which I'm not extremely fond of.
    >
    > Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    > 10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    > great, no problem there. My problem is: Does anyone know how to
    > compile openssh on Solaris with native SEAM kerberos support? There is
    > a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    > seem the have a single "directory" that they keep their kerberos
    > libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    > Does anyone have any hints on this, or has anyone ever done it? Or
    > maybe a better place to post?


    The Kerberos API was private in Solaris for a long time because there
    were concerns about stability of the interface. Use of the GSS-API (man
    libgss) was encouraged because this was deemed more stabled and was
    described in standards docs. Things have changed and I believe Sun will
    be making the Kerberos lib API public in an upcoming Solaris 10 update.
    Still at this point on S10 you can't link an app directly to the Solaris
    Kerberos lib. Your options are to either get the MIT krb lib and link
    against that or use the native Solaris ssh which supports GSS/krb auth
    quite well (I'm using now).

    Note you can search docs.sun.com for more info on GSS-API programming.

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Openssh, kerberos and Solaris 10

    Crud, I was hoping you wouldn't say that...

    -erich

    Will Fiveash wrote:
    > On Tue, Aug 08, 2006 at 04:49:14PM -0700, Erich Weiler wrote:
    >> Hi all-
    >>
    >> I'm not sure this is the correct place to post about this but I'm
    >> getting no response over an OpenSSH.org, if there is a more appropriate
    >> place to post please let me know... And the people at Sun scream at me
    >> for even considering openssh when they supply their own version of SSH
    >> which I'm not extremely fond of.
    >>
    >> Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    >> 10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    >> great, no problem there. My problem is: Does anyone know how to
    >> compile openssh on Solaris with native SEAM kerberos support? There is
    >> a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    >> seem the have a single "directory" that they keep their kerberos
    >> libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    >> Does anyone have any hints on this, or has anyone ever done it? Or
    >> maybe a better place to post?

    >
    > The Kerberos API was private in Solaris for a long time because there
    > were concerns about stability of the interface. Use of the GSS-API (man
    > libgss) was encouraged because this was deemed more stabled and was
    > described in standards docs. Things have changed and I believe Sun will
    > be making the Kerberos lib API public in an upcoming Solaris 10 update.
    > Still at this point on S10 you can't link an app directly to the Solaris
    > Kerberos lib. Your options are to either get the MIT krb lib and link
    > against that or use the native Solaris ssh which supports GSS/krb auth
    > quite well (I'm using now).
    >
    > Note you can search docs.sun.com for more info on GSS-API programming.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Openssh, kerberos and Solaris 10

    There shouldn't be the need of compiling openssh with Kerberos as the
    Solaris 10 version supports GSSAPI authentication.

    Markus

    "Erich Weiler" wrote in message
    news:44D922FA.1030509@soe.ucsc.edu...
    > Hi all-
    >
    > I'm not sure this is the correct place to post about this but I'm
    > getting no response over an OpenSSH.org, if there is a more appropriate
    > place to post please let me know... And the people at Sun scream at me
    > for even considering openssh when they supply their own version of SSH
    > which I'm not extremely fond of.
    >
    > Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    > 10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    > great, no problem there. My problem is: Does anyone know how to
    > compile openssh on Solaris with native SEAM kerberos support? There is
    > a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    > seem the have a single "directory" that they keep their kerberos
    > libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    > Does anyone have any hints on this, or has anyone ever done it? Or
    > maybe a better place to post?
    >
    > ciao, erich
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




  5. Re: Openssh, kerberos and Solaris 10



    Erich Weiler wrote:
    > Hi all-
    >
    > I'm not sure this is the correct place to post about this but I'm
    > getting no response over an OpenSSH.org, if there is a more appropriate
    > place to post please let me know... And the people at Sun scream at me
    > for even considering openssh when they supply their own version of SSH
    > which I'm not extremely fond of.
    >
    > Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    > 10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    > great, no problem there. My problem is: Does anyone know how to
    > compile openssh on Solaris with native SEAM kerberos support?


    Yes and no. You can use the OpenSolaris header files and SEAM library
    or, as Will pointed out, you can wait for Sun to release the API.

    See the note below to this list from last year. There is no guarantee
    that this will work, or that the OpenSolaris header files still match
    what is in Solaris 10. But it is a start.

    You will need something like
    LDFLAGS="/usr/lib/gss/mech_krb5.so -Wl,-R,/usr/lib/gss "
    CFLAGS="-I/krb5/include"

    I also copied the MIT com_err.h and profile.h from MIT to /krb5/include.

    We use this with CVS, POP and OpenAFS aklog to get Kerberos support.

    And we too are waiting for Sun to release a supported API with Solaris 10.


    > There is
    > a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    > seem the have a single "directory" that they keep their kerberos
    > libraries in... Not even sure they have GSSAPI at all, maybe just GSS?


    Yes they gave a nice gssapi and we use that if possible.

    > Does anyone have any hints on this, or has anyone ever done it? Or
    > maybe a better place to post?
    >
    > ciao, erich
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >

    -------- Original Message --------
    Subject: Using Solaris 10 built in Kerberos support with Kerberos application
    Date: Tue, 23 Aug 2005 14:20:21 -0500
    From: Douglas E. Engert
    To: 'kerberos@mit.edu'

    In an attempt to use vendor provided Kerberos support where possible, we have
    been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5
    and ssh or any application that uses Kerberos via GSSAPI.

    But we have a number of other Kerberos applications, including qpop for Kerberized
    pop service, aklog with OpenAFS and kerberized CVS.

    The problem is that Solaris only exposes Kerberos via GSSAPI, and does not
    provide the krb5.h files or the normal Kerberos libraries.

    *What I would like to ask SUN is to include the krb5.h and its friends with the
    Solaris 10 base system.*

    To get around this,
    http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include
    has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes
    with Solaris 10. (I actually downloaded the tarfile to get the header files.)

    I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run
    using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h.

    Some problems along the way:

    o mech_krb5.so has most of the Kerberos routines and can be used as a shared
    library, but is clumsy to link as its not a "libxxx"

    o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so

    o The krb5.h refers to profile.h which is not supplied.

    o Many of the Kerberos applications also use com_err.h which is not supplied.

    o There is no com_err add_error_table.

    o Solaris does not have krb524. So aklog can not use this feature.

    But so far it still looks promising to use the Solaris 10 Kerberos and we
    are expecting that Sun will continue to improve the usability of their
    Kerberos support.

    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Openssh, kerberos and Solaris 10

    P.S. I should say we are using the Solaris ssh and sshd, as well as
    their pam_krb5. But there are issues with the pam_krb5 with using
    session based caches rather then user, and updating of the TGT
    but leaving older tickets in the cache.


    Erich Weiler wrote:

    > Hi all-
    >
    > I'm not sure this is the correct place to post about this but I'm
    > getting no response over an OpenSSH.org, if there is a more appropriate
    > place to post please let me know... And the people at Sun scream at me
    > for even considering openssh when they supply their own version of SSH
    > which I'm not extremely fond of.
    >
    > Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    > 10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    > great, no problem there. My problem is: Does anyone know how to
    > compile openssh on Solaris with native SEAM kerberos support? There is
    > a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    > seem the have a single "directory" that they keep their kerberos
    > libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    > Does anyone have any hints on this, or has anyone ever done it? Or
    > maybe a better place to post?
    >
    > ciao, erich
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Openssh, kerberos and Solaris 10



    Markus Moeller wrote:

    > There shouldn't be the need of compiling openssh with Kerberos as the
    > Solaris 10 version supports GSSAPI authentication.


    Yes and no. Until you want to store the delegated credential or do a
    krb5_userok test.

    With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    authz function or a way to save the delegated creds.

    Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    approach too, then it would not need Kerberos specific code either.


    >
    > Markus
    >
    > "Erich Weiler" wrote in message
    > news:44D922FA.1030509@soe.ucsc.edu...
    >
    >>Hi all-
    >>
    >>I'm not sure this is the correct place to post about this but I'm
    >>getting no response over an OpenSSH.org, if there is a more appropriate
    >>place to post please let me know... And the people at Sun scream at me
    >>for even considering openssh when they supply their own version of SSH
    >>which I'm not extremely fond of.
    >>
    >>Basically I'd like to compile OpenSSH with Kerberos support on Solaris
    >>10. Solaris 10 comes with SEAM, Sun's port of MIT Kerberos. SEAM works
    >>great, no problem there. My problem is: Does anyone know how to
    >>compile openssh on Solaris with native SEAM kerberos support? There is
    >>a --with-kerberos=/dir compile time option with openssh but Sun doesn't
    >>seem the have a single "directory" that they keep their kerberos
    >>libraries in... Not even sure they have GSSAPI at all, maybe just GSS?
    >> Does anyone have any hints on this, or has anyone ever done it? Or
    >>maybe a better place to post?
    >>
    >>ciao, erich
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Openssh, kerberos and Solaris 10

    > With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    > ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    > authz function or a way to save the delegated creds.
    >
    > Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    > approach too, then it would not need Kerberos specific code either.


    The main reason I need to compile OpenSSH with krb5 is because the way I
    have it working currently, OpenSSH using PAM, does not does _forward_
    krb5 creds when SSHing to another machine. I have seen OpenSSH using
    GSS-API auth forward creds successfully, but not using Solaris PAM...
    Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?

    -erich
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Openssh, kerberos and Solaris 10



    Erich Weiler wrote:

    >> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    >> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    >> authz function or a way to save the delegated creds.
    >>
    >> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    >> approach too, then it would not need Kerberos specific code either.

    >
    >
    > The main reason I need to compile OpenSSH with krb5 is because the way I
    > have it working currently, OpenSSH using PAM, does not does _forward_
    > krb5 creds when SSHing to another machine.


    You don't want it to forward? or you do.
    The Solaris 10 ssh_config GSSAPIDelegateCredentials option could be set
    to not forward them.

    If you do, could it be that the dtlogin is not getting forwardabel tickets?
    What doe klist -f show?

    Solaris looks a the krb5.conf file at little differently
    then MIT. dtlogin and pam_krb5 looks for forwardable = 1 in the [libdefault]
    or [appdefault] sections. see the man pags.


    > I have seen OpenSSH using
    > GSS-API auth forward creds successfully, but not using Solaris PAM...
    > Unless someone knows of a way I can forward kerberos TGTs using Solaris
    > PAM?
    >
    > -erich
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Openssh, kerberos and Solaris 10

    Another comment, if the problem is the Solaris 10 sshd is not saving
    the forwarded credentials, it could be the pam.conf is not configured
    correctly. sshd calls pam with a number of different services names,
    including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
    is not found, other is used by pam :-( The man pages are not consistent
    on the names actually used. You have to read the pam_krb5 and sshd pages
    to figure this out.

    The sshd does not set the KRB5CCNAME correctly either. We do this
    with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
    to get session based credentials if possible. Works from sshd-gssapi,
    but not from dtlogin where we are stuck with user basede credentials.


    Sun needs to get their act together on this too. But I would
    rather live with this then to have to build OpenSSH and MIT Kerberos
    when Sun is so close.

    Erich Weiler wrote:

    >>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    >>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    >>authz function or a way to save the delegated creds.
    >>
    >>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    >>approach too, then it would not need Kerberos specific code either.

    >
    >
    > The main reason I need to compile OpenSSH with krb5 is because the way I
    > have it working currently, OpenSSH using PAM, does not does _forward_
    > krb5 creds when SSHing to another machine. I have seen OpenSSH using
    > GSS-API auth forward creds successfully, but not using Solaris PAM...
    > Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?
    >
    > -erich
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 08:24:22AM -0700, Erich Weiler wrote:
    > The main reason I need to compile OpenSSH with krb5 is because the way I
    > have it working currently, OpenSSH using PAM, does not does _forward_
    > krb5 creds when SSHing to another machine. I have seen OpenSSH using
    > GSS-API auth forward creds successfully, but not using Solaris PAM...
    > Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?


    You fundamentally misunderstand how network authentication and
    credential forwarding work.

    PAM is orthogonal to your problem.

    In order to use network authentication you first need credentials. You
    acquire these using kinit(1) or when you login first using a PAM-aware
    login application whose PAM stack is configured to use pam_krb5(5).

    (This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.)

    Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate
    options. The server has to have acceptor credentials, i.e., a
    host-based principal name for the service 'host' and valid keytab
    entries for these.

    (Again, something similar goes for NIS+/DH.)

    The client and server should negotiate the use of network authentication
    and the client should delegate credentials if a) you have forwardable
    tickets, b) use the appropriate option.

    PAM barely enters the picture on the server-side, and you should not be
    prompted for any passwords.

    So, what are you doing wrong?

    Have you got a TGT on the client? Is it forwardable? See the kinit(1)
    man page and post klist(1) (klist -fea) output.

    Does your server have a keytab file? klist -ke please. Are those
    keytab entries valid? You can check this by doing something like:

    # kinit -c /tmp/xyz123 -k host/
    # klist -fea -c /tmp/xyz123
    # kdestroy -c /tmp/xyz123

    Now, if you address these issues and still have problems then ssh -vvv
    and sshd -ddd output may be useful.

    # /usr/lib/ssh/sshd -dddp 2222
    ....


    % ssh -p 2222 ...
    ....

    Cheers,

    Nico
    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: Openssh, kerberos and Solaris 10

    > You fundamentally misunderstand how network authentication and
    > credential forwarding work.


    No, I think I do understand it. All you have written below are steps I
    have taken and am sorted with. Perhaps I'm not making myself very clear
    in describing the problem I'm having (which I can certainly believe).

    > PAM is orthogonal to your problem.


    I am getting credentials through PAM. That much is working. My
    problem, very specifically, is that:

    1: I want SSH to automatically forward my krb5 credentials when I SSH
    into another machine using public keys.

    2: I don't want to use Sun SSH; I would rather use OpenSSH. The reasons
    for this are not applicable to this discussion.

    3: OpenSSH can't forward Kerberos credentials without actually being
    compiled against some sort of GSS-API, which I can't seem to do under
    Solaris.

    From what others have said, I'm out of luck in this regard. Unless I
    compile MIT Kerberos as a standalone package and compile OpenSSH against
    that, I cannot hope to enable OpenSSH krb5 cred forwarding. But I have
    reasons why I'd like to stick with Solaris SEAM. Call me picky.

    ciao, erich

    >
    > In order to use network authentication you first need credentials. You
    > acquire these using kinit(1) or when you login first using a PAM-aware
    > login application whose PAM stack is configured to use pam_krb5(5).
    >
    > (This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.)
    >
    > Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate
    > options. The server has to have acceptor credentials, i.e., a
    > host-based principal name for the service 'host' and valid keytab
    > entries for these.
    >
    > (Again, something similar goes for NIS+/DH.)
    >
    > The client and server should negotiate the use of network authentication
    > and the client should delegate credentials if a) you have forwardable
    > tickets, b) use the appropriate option.
    >
    > PAM barely enters the picture on the server-side, and you should not be
    > prompted for any passwords.
    >
    > So, what are you doing wrong?
    >
    > Have you got a TGT on the client? Is it forwardable? See the kinit(1)
    > man page and post klist(1) (klist -fea) output.
    >
    > Does your server have a keytab file? klist -ke please. Are those
    > keytab entries valid? You can check this by doing something like:
    >
    > # kinit -c /tmp/xyz123 -k host/
    > # klist -fea -c /tmp/xyz123
    > # kdestroy -c /tmp/xyz123
    >
    > Now, if you address these issues and still have problems then ssh -vvv
    > and sshd -ddd output may be useful.
    >
    > # /usr/lib/ssh/sshd -dddp 2222
    > ...
    >
    >
    > % ssh -p 2222 ...
    > ...
    >
    > Cheers,
    >
    > Nico

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  13. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
    > I am getting credentials through PAM. That much is working. My
    > problem, very specifically, is that:
    >
    > 1: I want SSH to automatically forward my krb5 credentials when I SSH
    > into another machine using public keys.


    This makes no sense. Why use public key authentication when you have
    Kerberos V?

    > 2: I don't want to use Sun SSH; I would rather use OpenSSH. The reasons
    > for this are not applicable to this discussion.


    I thought they were. You seemed to think that SUNWssh didn't support
    something that it does support.

    > 3: OpenSSH can't forward Kerberos credentials without actually being
    > compiled against some sort of GSS-API, which I can't seem to do under
    > Solaris.


    OpenSSH wants to use non-GSS-API, krb5 API functions that Solaris has
    not made public until recent OpenSolaris builds and, I think, the latest
    S10 update.

    In any case, the OpenSSH autoconf scripts (configure.ac) probably don't
    know how to find the Solaris GSS-API library and header files. That
    would be a bug/missing feature in OpenSSH.

    Nico
    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  14. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
    > Markus Moeller wrote:
    > > There shouldn't be the need of compiling openssh with Kerberos as the
    > > Solaris 10 version supports GSSAPI authentication.

    >
    > Yes and no. Until you want to store the delegated credential or do a
    > krb5_userok test.


    Solaris' sshd does this using __gss_userok() and gss_store_cred().

    > With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    > ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    > authz function or a way to save the delegated creds.
    >
    > Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    > approach too, then it would not need Kerberos specific code either.


    No, Solaris 10's sshd does not use PAM to do these two tasks.
    OpenSolaris' sshd will, however, soon enough.

    Nico
    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  15. Re: Openssh, kerberos and Solaris 10



    On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams
    wrote:

    > On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
    >> I am getting credentials through PAM. That much is working. My
    >> problem, very specifically, is that:
    >>
    >> 1: I want SSH to automatically forward my krb5 credentials when I SSH
    >> into another machine using public keys.

    >
    > This makes no sense. Why use public key authentication when you have
    > Kerberos V?


    I can see reasons why you might want to do that. For example, your
    Kerberos credentials might not be sufficient to allow access to the remove
    machine. However, that's beside the point. You can't do this, no matter
    what implementation you use, because there is no provision in the SSH
    protocol to allow this -- delegation of GSS-API credentials requires the
    use of GSS-API key exchange or user authentication using the credentials
    you wish to delegate. From a protocol standpoint, either is sufficient,
    though some implementations may not support credential delegation with
    GSS-API key exchange (stock OpenSSH doesn't support GSS-API key exchange at
    all, but the sun one does).


    >> 2: I don't want to use Sun SSH; I would rather use OpenSSH. The reasons
    >> for this are not applicable to this discussion.

    >
    > I thought they were. You seemed to think that SUNWssh didn't support
    > something that it does support.


    I have to agree with Nico here. You've said that the reason you want to
    build OpenSSH instead of using Sun's version is to get credential
    delegation. Sun's SSH does this, and in fact has better support overall
    for both GSS-API and PAM than does OpenSSH.

    -- Jeff
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  16. Re: Openssh, kerberos and Solaris 10



    Nicolas Williams wrote:

    > On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
    >
    >>Markus Moeller wrote:
    >>
    >>>There shouldn't be the need of compiling openssh with Kerberos as the
    >>>Solaris 10 version supports GSSAPI authentication.

    >>
    >>Yes and no. Until you want to store the delegated credential or do a
    >>krb5_userok test.

    >
    >
    > Solaris' sshd does this using __gss_userok() and gss_store_cred().


    Good, and that was what I was trying to the kerberos working group
    interested in before Kitten was started.

    >
    >
    >>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
    >>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
    >>authz function or a way to save the delegated creds.
    >>
    >>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
    >>approach too, then it would not need Kerberos specific code either.

    >
    >
    > No, Solaris 10's sshd does not use PAM to do these two tasks.
    > OpenSolaris' sshd will, however, soon enough.
    >
    > Nico


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  17. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 02:26:57PM -0500, Douglas E. Engert wrote:
    >
    >
    > Nicolas Williams wrote:
    >
    > >On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
    > >
    > >>Markus Moeller wrote:
    > >>
    > >>>There shouldn't be the need of compiling openssh with Kerberos as the
    > >>>Solaris 10 version supports GSSAPI authentication.
    > >>
    > >>Yes and no. Until you want to store the delegated credential or do a
    > >>krb5_userok test.

    > >
    > >
    > >Solaris' sshd does this using __gss_userok() and gss_store_cred().

    >
    > Good, and that was what I was trying to the kerberos working group
    > interested in before Kitten was started.


    gss_store_cred() is a KITTEN WG work item.

    __gss_userok() is not; should it be? It depends on a notion of "user
    account," and so it's rather not so generic. But we could have an
    individual submission draft targetting Informational status for
    "gss_userok()"... Comments?
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  18. Re: Openssh, kerberos and Solaris 10



    Erich Weiler wrote:


    >
    > 1: I want SSH to automatically forward my krb5 credentials when I SSH
    > into another machine using public keys.
    >


    Don't think OpenSSH will do this either with out mods.


    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  19. Re: Openssh, kerberos and Solaris 10



    Nicolas Williams wrote:

    > On Wed, Aug 09, 2006 at 02:26:57PM -0500, Douglas E. Engert wrote:
    >
    >>
    >>Nicolas Williams wrote:
    >>
    >>
    >>>On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
    >>>
    >>>
    >>>>Markus Moeller wrote:
    >>>>
    >>>>
    >>>>>There shouldn't be the need of compiling openssh with Kerberos as the
    >>>>>Solaris 10 version supports GSSAPI authentication.
    >>>>
    >>>>Yes and no. Until you want to store the delegated credential or do a
    >>>>krb5_userok test.
    >>>
    >>>
    >>>Solaris' sshd does this using __gss_userok() and gss_store_cred().

    >>
    >>Good, and that was what I was trying to the kerberos working group
    >>interested in before Kitten was started.

    >
    >
    > gss_store_cred() is a KITTEN WG work item.
    >
    > __gss_userok() is not; should it be?


    I would say yes. Every service needs to do this, and use the GSS creds
    to test if it can use the local resource. So it in that regards it is
    generic.


    It depends on a notion of "user
    > account," and so it's rather not so generic. But we could have an
    > individual submission draft targetting Informational status for
    > "gss_userok()"... Comments?
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  20. Re: Openssh, kerberos and Solaris 10

    On Wed, Aug 09, 2006 at 02:55:05PM -0500, Douglas E. Engert wrote:
    > Nicolas Williams wrote:
    > >gss_store_cred() is a KITTEN WG work item.
    > >
    > >__gss_userok() is not; should it be?

    >
    > I would say yes. Every service needs to do this, and use the GSS creds
    > to test if it can use the local resource. So it in that regards it is
    > generic.


    Hmmm. We're working to push authorization of GSS-API principals and
    handling of delegated credentials to PAM. So, we're working to make
    public gss_userok() and gss_store_cred() interfaces unnecessary...
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread
Page 1 of 2 1 2 LastLast