Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.3

Exit Print View

Updated: October 2019

GSS-API Authentication in Secure Shell

To use GSS-API authentication in Secure Shell, the server must have GSS-API acceptor credentials and the client must have GSS-API initiator credentials. Support is available for mech_krb5.

For mech_krb5, the server has GSS-API acceptor credentials when the host principal that corresponds to the server has a valid entry in /etc/krb5/krb5.keytab.

    The client has initiator credentials for mech_krb5 if one of the following has been done:

  • The kinit command has been run.

  • The pam_krb5 module is used in the pam.conf file.

See also Per-Session GSS-API Credentials. For more information about mechanisms, see the mech(4) man page.

Per-Session GSS-API Credentials

Oracle Solaris supports per-session GSS-API credentials. The sshd_config file contains the option, GSSAPIUseDefaultCCache. By default, this option is set to yes.

    The default behavior is the following:

  • Delegated credentials are stored in the default credential cache

  • KRB5CCNAME is not set

  • The credentials are not deleted when the session ends

    When you change this value to no, you create per-session credentials:

  • Delegated credentials are stored in a per-session credential cache in /tmp/krb5cc_uid_XXXXXX

    The file path is created using a random pattern.

  • KRB5CCNAME points to the cache file path.

  • If the GSSAPICleanupCredentials variable is set to the default value of yes, the credential cache is destroyed upon logout. This variable is in the sshd_config file.

For more information, use the man command to view the sshd_config (4) man page.