On Tue, Mar 30, 2004 at 03:53:06AM +0100, Colin Watson wrote: > On Mon, Mar 29, 2004 at 07:58:24PM -0600, Ryan Underwood wrote: > > Package: ssh > > Version: 1:3.8p1-2 > > Severity: normal > > > > > > Usage of OpenSSH with pam_krb5 has been broken for some versions now. > > Don't you have to use ssh-krb5 for this? No. I had a working setup that was broken at ssh 3.7*. This is different from GSS-API krb5 which has kerberos support compiled directly into the ssh server. pam_krb5 is used at auth and session stages to verify the user's password with the MIT krb5 server and to create a credentials cache. The privsep and related work has changed the way pam modules are run, which causes pam_krb5 to not be able to pass the credentials to the user's eventual shell. Thus, the user can pass authentication against the kerberos server, but when he gets a shell, he has no credentials. Building ssh with pthreads is a claimed fix by many people, but building the Debian version with that patch gave the aforementioned error when a user tries to log in. A similar fix is in SuSE 9.0 and Gentoo it seems. -- Ryan Underwood, <nemesis@icequake.net>
Attachment:
signature.asc
Description: Digital signature