[28629] in Kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Nov 1 15:54:08 2007
Message-ID: <472A2EC5.20300@anl.gov>
Date: Thu, 01 Nov 2007 14:53:41 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <472A1C24.3020602@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeff Blaine wrote:
> I apologize for the general nature of this post. Maybe it's
> better posted to the secureshell list which is loaded with
> spam and is often choked up sitting on some server somewhere,
> but...
>
> I can ssh with GSSAPI auth to a Solaris 10 box fine. When
> I'm in though, klist says I have no credential cache and
> there's nothing useful in /tmp.
What does your /etc/pam.conf look like?
We force ssh via PAM to be a session based cred, and get AFS token too:
# Used by GSS, but ssh has bug about saving creds, so we use session based creds.
sshd-gssapi account requisite pam_roles.so.1
sshd-gssapi account required pam_unix_account.so.1
sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p
sshd-gssapi session required pam_unix_session.so.1
sshd-gssapi session required /krb5/lib/pam_afs2.so.1
sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen
See:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
>
> Has anyone come across this and found an answer?
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
