[19451] in Kerberos
Re: Forwarding Kerberos Credentials - SSH
daemon@ATHENA.MIT.EDU (Frank Cusack)
Thu Jun 19 23:27:17 2003
From: Frank Cusack <fcusack@fcusack.com>
Date: Thu, 19 Jun 2003 20:21:18 -0700
Message-ID: <x5y1xxpigcx.fsf@vger.corp.google.com>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
On Thu, 19 Jun 2003 10:22:50 -0700 Donn Cave <donn@u.washington.edu> wrote:
> unfortunately it doesn't interoperate with the ssh.com approach to
> Kerberos 5 for protocol 2.
Which, AIUI, was rejected in the ietf for being deficient. Regardless
of any deficiencies (or not) in the ssh.com approach, the GSSAPI
approach is superior. I won't go into the reasons why, interested
readers can do some Google research.
> Secondly I think the term "forwarding" doesn't apply to the scenarios
> I'm reading about here. If you log in to sshd with your Kerberos
> password, the remote credentials acquired in the process are actually
> local in this sense - they reside on the host that acquired them, as
Right. That's not what the poster wants. That's not kerberos
authentication, that's password authentication.
> sshd did that. When used to authenticate to some service from there,
> that's just simple basic Kerberos authentication, no forwarding needed.
The original poster wants to login LOCALLY with krb5, ssh to a remote
machine with KERBEROS authentication; the forwarding is needed so that
on the remote machine he can subsequently obtain tickets for xyz service
(say, afs).
/fc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
