Douglas E. Engert wrote: > Jeff Blaine wrote: >> I apologize for the general nature of this post. Maybe it's >> better posted to the secureshell list which is loaded with >> spam and is often choked up sitting on some server somewhere, >> but... >> >> I can ssh with GSSAPI auth to a Solaris 10 box fine. When >> I'm in though, klist says I have no credential cache and >> there's nothing useful in /tmp. > > What does your /etc/pam.conf look like?
I was using the sshd non-PAM GSSAPIAuthentication (enabled by default). > We force ssh via PAM to be a session based cred, and get AFS token too: > > # Used by GSS, but ssh has bug about saving creds, so we use session > based creds. That kind of explains things then. I guess it's a bug, eh? PAM works better for us anyway, I was just thinking I might have poor luck with it and ticket forwarding. I'll give it a shot. > sshd-gssapi account requisite pam_roles.so.1 > sshd-gssapi account required pam_unix_account.so.1 > sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 > ccache=/tmp/krb5cc_%u_%p > > sshd-gssapi session required pam_unix_session.so.1 > sshd-gssapi session required /krb5/lib/pam_afs2.so.1 > sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen I'll > See: > ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar > ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar > >> >> Has anyone come across this and found an answer? >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
