Acquiring GSS Credentials in Solaris Secure Shell
To use GSS-API for authentication in Solaris Secure Shell, the server must have GSS-API acceptor credentials and the client must have GSS-API initiator credentials. Support is available for mech_dh and for mech_krb5.
For mech_dh, the server has GSS-API acceptor credentials if root has run the keylogin command.
For mech_krb5, the server has GSS-API acceptor credentials when the host principal that corresponds to the server has a valid entry in /etc/krb5/krb5.keytab.
The client has initiator credentials for mech_dh if one of the following has been done:
-
The keylogin command has been run.
-
The pam_dhkeys module is used in the pam.conf file.
The client has initiator credentials for mech_krb5 if one of the following has been done:
-
The kinit command has been run.
-
The pam_krb5 module is used in the pam.conf file.
For the use of mech_dh in secure RPC, see Chapter 16, Using Authentication Services (Tasks). For the use of mech_krb5, see Chapter 21, Introduction to the Kerberos Service. For more information on mechanisms, see the mech(4) and mech_spnego(5) man pages.
- © 2010, Oracle Corporation and/or its affiliates