To use GSS-API authentication in Secure Shell, the server must have GSS-API acceptor credentials and the client must have GSS-API initiator credentials. Support is available for mech_krb5.
For mech_krb5, the server has GSS-API acceptor credentials when the host principal that corresponds to the server has a valid entry in /etc/krb5/krb5.keytab.
The client has initiator credentials for mech_krb5 if one of the following has been done:
The kinit command has been run.
The pam_krb5 module is used in the pam.conf file.
See also Per-Session GSS-API Credentials. For more information about mechanisms, see the mech(4) man page.
Oracle Solaris supports per-session GSS-API credentials. The sshd_config file contains the option, GSSAPIUseDefaultCCache. By default, this option is set to yes.
The default behavior is the following:
Delegated credentials are stored in the default credential cache
KRB5CCNAME is not set
The credentials are not deleted when the session ends
When you change this value to no, you create per-session credentials:
Delegated credentials are stored in a per-session credential cache in /tmp/krb5cc_uid_XXXXXX
The file path is created using a random pattern.
KRB5CCNAME points to the cache file path.
If the GSSAPICleanupCredentials variable is set to the default value of yes, the credential cache is destroyed upon logout. This variable is in the sshd_config file.
For more information, use the man command to view the sshd_config (4) man page.