On Wed, Aug 09, 2006 at 11:08:11AM -0500, Douglas E. Engert wrote: > Another comment, if the problem is the Solaris 10 sshd is not saving > the forwarded credentials, it could be the pam.conf is not configured > correctly. sshd calls pam with a number of different services names, > including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these > is not found, other is used by pam :-(
sshd does not interact with PAM when storing the krb cred when doing gssapi-* auth. You may be seeing bug: 6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds This is fixed in opensolaris/Nevada but I don't think it has been backported to S10 yet. > The man pages are not consistent on the names actually used. You have > to read the pam_krb5 and sshd pages to figure this out. Please send an example of the man page inconsistencies as we'll log a bug if there's a problem. > The sshd does not set the KRB5CCNAME correctly either. We do this > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID) > to get session based credentials if possible. Works from sshd-gssapi, > but not from dtlogin where we are stuck with user basede credentials. > > Sun needs to get their act together on this too. But I would > rather live with this then to have to build OpenSSH and MIT Kerberos > when Sun is so close. Yes, we are aware and have been thinking about this for a while. To fix this properly in Solaris is non-trivial and there is much on our plates so it remains an issue. More on this later... -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
