Not surprised that they patched something useful in. And it is a useful
option.
thanks
On Mon, Jul 11, 2022 at 12:40:57PM -0700, Carson Gaspar wrote:
> This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch
>
> On 7/11/2022 12:26 PM, Dirk Heinrichs wrote:
> > Dave Botsch:
> >
> > >
This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch
On 7/11/2022 12:26 PM, Dirk Heinrichs wrote:
Dave Botsch:
Maybe it's not in newer release of openssh?
Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
have it. See
Yup, I see that that option is not there on rhel6 with
openssh-server-5.3p1-124.el6_10.x86_64
so must be a new option. And something that was clearly handled
differently on RHEL6.
thanks!
On Mon, Jul 11, 2022 at 09:26:54PM +0200, Dirk Heinrichs wrote:
> Dave Botsch:
>
> > Maybe it's not in
Dave Botsch:
> Maybe it's not in newer release of openssh?
Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
have it. See
https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html
Bye...
Dirk
--
Dirk Heinrichs
Matrix-Adresse: @heini:chat.altum.de
GPG
Maybe it's not in newer release of openssh?
RHEL8 is using:
$ rpm -q openssh-server
openssh-server-8.0p1-13.el8.x86_64
And from the man page:
KerberosUniqueCCache
Specifies whether to store the acquired tickets in the
per-session credential cache under /tmp/ or
Dave Botsch:
> KerberosUniqueCCache=yes in sshd.conf
Could you elaborate on what this option is good for? I can't find it in
sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0,
nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some
special RH-only thing?
Since we are not using PAGs anymore on most of our systems and instead
using UID based logins for tokens, I should retest and see what does and
doesn't work with keyrings as I honestly don't recall at this point, and
things have changed with the various point releases of RHEL8. One of the
We went back to using FILE based caches for use along with PAGs.
Something didn't work right with keyring caches, and I don't recall
what.
I believe our general path was, keyring didn't work, ok, go to file
based. Now get sssd and pam_afs_session working properly and work around
the krb5-1.18
I think all we had to do, actually, was set appropriate options for
GSSAPI in sshd_config ... and make sure it was still using PAM for the
account and session pieces.
We did not have to use any stashcred or chuse stuff... our session stack
looks like:
session optional
Hi all!
Jeffrey pointed us in the right direction - and most useful, a reason
why it failed for us. Kudos to Jeffrey, as always!
Since we won't touch SSSD with a 10-yard-stick, we gave
pam_afs_session.so a spin. And lo and behold: It really worked!
We have the following in our
In our case, we use multiple kerberos domains to authenticate users.
So in pam.d/password-auth...
authsufficient pam_sss.so
forward_pass
then lets sssd take care of figuring out via an ldap lookup, which
kerberos domain to authenticate the user
I wanted to mention that we are successfully doing ssh and gnome-shell
logins with pam_sssd where sssd takes care of authN via kerberos and via
ldap provides group information, and pam_afs_session to get afs tokens.
Two difficulties... if using PAGSHs, not all processes run inside a
pagsh, which
reply inline
On 7/11/2022 4:30 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:
Hi Jeffrey,
Thanks for having a look at the problem.
However, I obviously did not do a very good job detailing exactly
what we did ... so here's my next try. Warning: It is going to be
lengthy :-)
First
(resend without attachment - original Mail did not make it to the
list!)
Hi Jeffrey,
Thanks for having a look at the problem.
However, I obviously did not do a very good job detailing exactly what
we did ... so here's my next try. Warning: It is going to be lengthy :-)
First
14 matches
Mail list logo