[24023] in Kerberos
Re: TGT forwarding when cross-realm auth?
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Sat Jun 4 19:16:58 2005
Date: Sat, 04 Jun 2005 19:15:36 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: vadim <vadim.tarassov@swissonline.ch>, kerberos@mit.edu
Message-ID: <998413A71C5F9165120AEB07@sirius.fac.cs.cmu.edu>
In-Reply-To: <1117871202.13377.19.camel@localhost.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu
On Saturday, June 04, 2005 09:46:42 AM +0200 vadim
<vadim.tarassov@swissonline.ch> wrote:
> 1) we (realm A) do not trust realm B and do not want credentials from
> realm A to be saved on that filesystem.
Then you need to configure your ssh client not to forward credentials to
hosts in realm B, or else be careful not to ssh to hosts in realm B when
you have credentials you don't want to forward there.
Ideally, you'd be able to set your ssh client so it would not forward
credentials from realm A, but would be willing to forward credentials from
realm B. However, I am not aware of any ssh client that offers such a
feature -- usually, the decision is made based solely on the name of the
server host.
> 2) we however still want users to login from A to B without entering
> passwords.
That's fine; you do not need to forward credentials in order to get a
Kerberos-authenticated SSH connection. GSSAPI authentication and
credential delegation (forwarding) are generally configured separately for
just this reason.
However, the only way to get a krbtgt/B@B TGT is either to forward one you
already have, or to obtain one from the realm B KDC either by typing a
password or by using a keytab file containing your key.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
