[32349] in Kerberos
Re: using a ssh key for krb5 mount
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon May 17 11:33:49 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <4BF15A87.7010008@tudelft.nl>
Date: Mon, 17 May 2010 11:33:41 -0400
Message-Id: <6DA45C55-E204-434A-BBA4-4C36B585B439@mit.edu>
To: Richard Smits <R.Smits@tudelft.nl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On May 17, 2010, at 11:02, Richard Smits wrote:
> But now we have a user who wants to authenticate from home with his ssh
> private/public key. His public key is in his homedir. (Which is not
> mounted yet)
>
> If the user logges in, this mechanism works for a couple of hours.
> (ticket is valid then)
>
> But my question is, is this possible ? Obtaining a krb5 ticket with ssh
> public/private key mechanism ?
No. For the basic Kerberos protocol, you need a single shared secret between the user and the KDC; a public/private key pair not known to the KDC won't do.
There is the PKINIT "preauthentication" system in Kerberos, which uses certificates.
One could perhaps rig something up where certificates are created using the same keys as used for SSH, but it needs to be signed by an authority that the KDC trusts, and the user would need to keep that signed certificate around, so there's really not much point in trying to tie it to the SSH keys. And if the user's still stuck with the horrible inconvenience of running Kerberos at home, PKINIT vs "regular" Kerberos may not make much of a difference.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
