Erich Weiler wrote:
>> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and >> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple >> authz function or a way to save the delegated creds. >> >> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that >> approach too, then it would not need Kerberos specific code either. > > > The main reason I need to compile OpenSSH with krb5 is because the way I > have it working currently, OpenSSH using PAM, does not does _forward_ > krb5 creds when SSHing to another machine. You don't want it to forward? or you do. The Solaris 10 ssh_config GSSAPIDelegateCredentials option could be set to not forward them. If you do, could it be that the dtlogin is not getting forwardabel tickets? What doe klist -f show? Solaris looks a the krb5.conf file at little differently then MIT. dtlogin and pam_krb5 looks for forwardable = 1 in the [libdefault] or [appdefault] sections. see the man pags. > I have seen OpenSSH using > GSS-API auth forward creds successfully, but not using Solaris PAM... > Unless someone knows of a way I can forward kerberos TGTs using Solaris > PAM? > > -erich > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
