[32348] in Kerberos
Re: using a ssh key for krb5 mount
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon May 17 11:28:59 2010
Date: Mon, 17 May 2010 10:28:41 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Richard Smits <R.Smits@tudelft.nl>
Message-ID: <20100517152840.GS9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4BF15A87.7010008@tudelft.nl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, May 17, 2010 at 05:02:31PM +0200, Richard Smits wrote:
> But my question is, is this possible ? Obtaining a krb5 ticket with ssh
> public/private key mechanism ?
SSHv2 supports the use of Kerberos via the GSS-API. Putty, OpenSSH,
SunSSH, Van Dyke, and various other implementations all support that,
and that is what you should use (plus credential delegation).
The only way to do what you actually propose would be by having PKINIT
user certificates whose subject public keys are also the users' SSH
public keys or by adding a PKIX-agent to go with ssh-agent. That is not
a common usage, and so not supported by any software that I know, but it
is technically doable. The more complex issue is: how to authenticate
to a remote server using SSH public keys, forwand an ssh-agent, and get
the remote server to automatically obtain a TGT using PKINIT and your
forwarded agent. Nothing supports that to my knowledge.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
