[19456] in Kerberos
Re: Forwarding Kerberos Credentials - SSH
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Fri Jun 20 14:35:45 2003
Mime-Version: 1.0
Message-Id: <p0521060bbb1902beb3a0@[137.78.212.225]>
In-Reply-To: <200306200852.h5K8q0k0020961@pch.mit.edu>
Date: Fri, 20 Jun 2003 11:34:53 -0700
To: kerberos@mit.edu
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: kerberos-bounces@mit.edu
At 4:52 AM -0400 6/20/03, kerberos-request@mit.edu wrote:
>Date: Thu, 19 Jun 2003 20:21:18 -0700
>From: Frank Cusack <fcusack@fcusack.com>
>To: kerberos@MIT.EDU
>Subject: Re: Forwarding Kerberos Credentials - SSH
> > Secondly I think the term "forwarding" doesn't apply to the scenarios
>> I'm reading about here. If you log in to sshd with your Kerberos
>> password, the remote credentials acquired in the process are actually
>> local in this sense - they reside on the host that acquired them, as
>
>Right. That's not what the poster wants. That's not kerberos
>authentication, that's password authentication.
>
>> sshd did that. When used to authenticate to some service from there,
>> that's just simple basic Kerberos authentication, no forwarding needed.
>
>The original poster wants to login LOCALLY with krb5, ssh to a remote
>machine with KERBEROS authentication; the forwarding is needed so that
>on the remote machine he can subsequently obtain tickets for xyz service
>(say, afs).
>
>/fc
"Me Too" (TM)
So, is that possible?
Ideally, is it possible in an application that only talks generic
SSL, so that it could in turn call a module that made use of the tgt?
(The thread is sshd, but I'm thinking maybe
Apache/{PHP,Perl}/{Postgres,AFS}.)
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
