[28632] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Solaris 10 sshd + GSSAPI = where's my cred cache?

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Thu Nov 1 16:32:20 2007

Message-ID: <472A37AB.6020302@kickflop.net>
Date: Thu, 01 Nov 2007 16:31:39 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <472A2EC5.20300@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> I apologize for the general nature of this post.  Maybe it's
>> better posted to the secureshell list which is loaded with
>> spam and is often choked up sitting on some server somewhere,
>> but...
>>
>> I can ssh with GSSAPI auth to a Solaris 10 box fine.  When
>> I'm in though, klist says I have no credential cache and
>> there's nothing useful in /tmp.
> 
> What does your /etc/pam.conf look like?

I was using the sshd non-PAM GSSAPIAuthentication (enabled
by default).

> We force ssh via PAM to be a session based cred, and get AFS token too:
> 
> # Used by GSS, but ssh has bug about saving creds, so we use session 
> based creds.

That kind of explains things then.  I guess it's a bug, eh?

PAM works better for us anyway, I was just thinking I might
have poor luck with it and ticket forwarding.

I'll give it a shot.

> sshd-gssapi   account requisite  pam_roles.so.1
> sshd-gssapi   account required   pam_unix_account.so.1
> sshd-gssapi   account required   /krb5/lib/pam_krb5_ccache.so.1  
> ccache=/tmp/krb5cc_%u_%p
> 
> sshd-gssapi   session required  pam_unix_session.so.1
> sshd-gssapi   session required  /krb5/lib/pam_afs2.so.1
> sshd-gssapi   session required  /krb5/lib/pam_krb5_ccache.so.1  cleaen

I'll

> See:
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
> 
>>
>> Has anyone come across this and found an answer?
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post