[19443] in Kerberos
Re: Forwarding Kerberos Credentials - SSH
daemon@ATHENA.MIT.EDU (Donn Cave)
Thu Jun 19 13:43:20 2003
From: Donn Cave <donn@u.washington.edu>
Date: Thu, 19 Jun 2003 10:22:50 -0700
Message-ID: <donn-DDE2B2.10225019062003@nntp6.u.washington.edu>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
In article <m38yry4gge.fsf@magma.savecore.net>,
Frank Cusack <fcusack@fcusack.com> wrote:
> Wow. Lots of info. :-) I'll quote it all, since it's so involved that
> it will be useful to have a complete reference in a single message.
Good - so, folks who want that complete reference: you know where to go!
> No. Only if you want to use ssh protocol 2. ahhh... this is the problem.
> By default, ssh will select protocol 2. Which doesn't support krb5. So
> you must tell it to use protocol 1, and probably must tell the server
> to do krb5 (probably sshd_config on the server doesn't accept krb5 by
> default).
I found this all a little confusing, and I'm sure there are people
here who know more about the GSSAPI OpenSSH patch, but in case it
helps ... The way I read it, he applied this patch with the expectation
that it provides Kerberos support for protocol 2, and that is true -
it should. Only between patched OpenSSH servers and clients, because
unfortunately it doesn't interoperate with the ssh.com approach to
Kerberos 5 for protocol 2. I agree that ssh -v ought to help narrow
down the problem. It might be worth trying some other Kerberos 5
application - I believe we're talking about Redhat Linux here, where
the telnet and ftp applications should support Kerberos 5.
Secondly I think the term "forwarding" doesn't apply to the scenarios
I'm reading about here. If you log in to sshd with your Kerberos
password, the remote credentials acquired in the process are actually
local in this sense - they reside on the host that acquired them, as
sshd did that. When used to authenticate to some service from there,
that's just simple basic Kerberos authentication, no forwarding needed.
Donn Cave, donn@u.washington.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
