[24023] in Kerberos

home help back first fref pref prev next nref lref last post

Re: TGT forwarding when cross-realm auth?

daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Sat Jun 4 19:16:58 2005

Date: Sat, 04 Jun 2005 19:15:36 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: vadim <vadim.tarassov@swissonline.ch>, kerberos@mit.edu
Message-ID: <998413A71C5F9165120AEB07@sirius.fac.cs.cmu.edu>
In-Reply-To: <1117871202.13377.19.camel@localhost.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu



On Saturday, June 04, 2005 09:46:42 AM +0200 vadim 
<vadim.tarassov@swissonline.ch> wrote:


> 1) we (realm A) do not trust realm B and do not want credentials from
> realm A to be saved on that filesystem.

Then you need to configure your ssh client not to forward credentials to 
hosts in realm B, or else be careful not to ssh to hosts in realm B when 
you have credentials you don't want to forward there.

Ideally, you'd be able to set your ssh client so it would not forward 
credentials from realm A, but would be willing to forward credentials from 
realm B.  However, I am not aware of any ssh client that offers such a 
feature -- usually, the decision is made based solely on the name of the 
server host.


> 2) we however still want users to login from A to B without entering
> passwords.

That's fine; you do not need to forward credentials in order to get a 
Kerberos-authenticated SSH connection.  GSSAPI authentication and 
credential delegation (forwarding) are generally configured separately for 
just this reason.



However, the only way to get a krbtgt/B@B TGT is either to forward one you 
already have, or to obtain one from the realm B KDC either by typing a 
password or by using a keytab file containing your key.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post