Subject: Re: PAM and OpenSSH
To: Emmanuel Dreyfus <manu@netbsd.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-userlevel
Date: 01/26/2005 08:55:09
Perhaps everyone already knows all this, but I didn't see much if any
mention of the two very distinct ways ssh and kerberos can be used together.
An sshd can accept a username and password, and try to get tickets,
and then a service ticket for host/f.q.d.n@REALM, and if that ticket
works, allow the user to log in, provide the tickets to the user,
and clean them up afterwards. I don't know any reason this should be
different from how login behaves.
An ssh client can, rather than sending a username/password to the
sshd, send a username and a GSSAPI authenticator (or raw krb5, but krb
culture views that as icky). The remote sshd checks the authenticator
against host credentials. On should also be able to send forwarded
tickets, and have those be cleaned up on exit.
So a complete ssh implementation will need some GSSAPI code for the
second case, although perhaps PAM calls can do some of the work.
--
Greg Troxel <gdt@ir.bbn.com>