SEO

I'm a bit curious about how _you_ folks do your Kerberos/SecureNFS/SSH integration
into your Solaris 8/9/10 systems? Here's my conclusions so far (which might be wrong,
please let me know if that's the case!):


Solaris 10:

The built-in Kerberos/SecureNFS/SSH works just fine except for a few minor
nitpicks - SSH stores any forwarded kerberos credentials into /tmp/krb5cc_$uid
and thus never removes them when you log out. I also noticed that it (sometimes?)
doesn't even removes/replaces a timed-out ticket when you login again - causing
problems with NFS (no $HOME until you either kinit's or kdestroy's+logout+login).


Solaris 9:

SEAM works fine and integrates with NFS. However, SunSSH doesn't understand GSSAPI_KEX
and thus ticket forwarding doesn't work. And you can't compile your own SSH that integrates
with Solaris builtin Kerberos/RPCSEC_GSS framework due to the missing Kerberos headers and
libraries...


Solaris 8:

Same issues as with Solaris 9 - and no SunSSH at all...


Another alternative is to build your own -

If you build your own MIT Kerberos (1.4.1) and OpenSSH (4.0p1) and the pam_krb5 from sourceforge,
then login authentication works, SSH GSSAPI_KEX ticket forwarding works but it doesn't integrate
with Solaris own GSSAPI framework (MIT Kerberos has it's own) and then Secure NFS doesn't work...
However session ticket cleanup works since SSH puts the forwarded tickets into a session-local
credentials cache (/tmp/krb5cc_$uid_$random) - which causes autofs to fail since it only looks
into /tmp/krb5cc_$uid.

So - how should _you_ set things up?

- Peter

--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Linköping University Room: Building F, F203