Re: Compiling OpenSSH with Kerberos support
From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 11/29/05
- Next message: Darren Tucker: "Re: Getting IP's added to log entry"
- Previous message: Darren Tucker: "Re: Expired password, openssh not invoking password change."
- In reply to: pseudometric: "Re: Compiling OpenSSH with Kerberos support"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Nov 2005 03:18:36 GMT
On 2005-11-28, pseudometric <res@qoxp.net> wrote:
> This is correct. The MIT Kerberos API is not a standard, and Sun does
> not consider it stable enough to support. The only way you can use
> Kerberos with Sun's software is via GSSAPI. This is the rationale I
> got from Sun support when I ran into this same issue.
>
> As a result, we had to compile & install MIT Kerberos alongside Sun's
> version, even though the overlap. We use Sun's where possible, and MIT
> when we have to. I pray it doesn't cause us some obscure problem
> someday.
We have had reports of a problem with sshd segfaulting when compiled
with both --with-pam and --with-kerberos5=[mitkrb5]. It segfaults deep
inside the Solaris pam_krb5 module. Omit either PAM or krb5 support
and it will work fine.
The bug record is here:
http://bugzilla.mindrot.org/show_bug.cgi?id=1095
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Next message: Darren Tucker: "Re: Getting IP's added to log entry"
- Previous message: Darren Tucker: "Re: Expired password, openssh not invoking password change."
- In reply to: pseudometric: "Re: Compiling OpenSSH with Kerberos support"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
