On Wed, Aug 09, 2006 at 08:24:22AM -0700, Erich Weiler wrote: > The main reason I need to compile OpenSSH with krb5 is because the way I > have it working currently, OpenSSH using PAM, does not does _forward_ > krb5 creds when SSHing to another machine. I have seen OpenSSH using > GSS-API auth forward creds successfully, but not using Solaris PAM... > Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?
You fundamentally misunderstand how network authentication and credential forwarding work. PAM is orthogonal to your problem. In order to use network authentication you first need credentials. You acquire these using kinit(1) or when you login first using a PAM-aware login application whose PAM stack is configured to use pam_krb5(5). (This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.) Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate options. The server has to have acceptor credentials, i.e., a host-based principal name for the service 'host' and valid keytab entries for these. (Again, something similar goes for NIS+/DH.) The client and server should negotiate the use of network authentication and the client should delegate credentials if a) you have forwardable tickets, b) use the appropriate option. PAM barely enters the picture on the server-side, and you should not be prompted for any passwords. So, what are you doing wrong? Have you got a TGT on the client? Is it forwardable? See the kinit(1) man page and post klist(1) (klist -fea) output. Does your server have a keytab file? klist -ke please. Are those keytab entries valid? You can check this by doing something like: # kinit -c /tmp/xyz123 -k host/<server.fqdn> # klist -fea -c /tmp/xyz123 # kdestroy -c /tmp/xyz123 Now, if you address these issues and still have problems then ssh -vvv and sshd -ddd output may be useful. # /usr/lib/ssh/sshd -dddp 2222 ... % ssh -p 2222 ... ... Cheers, Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
