For various reasons[1] I've found that the pam solution doesn't
cover all bases and I've resorted to putting aklog in
/etc/ssh/sshrc
If you have an sshrc it needs to deal with the xauth stuff as
well.
#
# Evil workaround for pam sshd stupidity.
if [ -n "$KRB5CCNAME" ] && [ -x /usr/bin/aklog ]; then
/usr/bin/aklog
fi
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` =
'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY |
cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | /usr/bin/xauth -q -
fi
- Booker C. Bense
[1]- To be honest I've forgotten exactly what the combination
was, but there was one edge case that I just couldn't get the
pam based solution to work. The sshrc solution is also required
on OS X.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
