[37571] in Kerberos
A way to automatically get a ticket through ssh for a local user
daemon@ATHENA.MIT.EDU (Mauro Cazzari)
Thu Jul 14 17:59:16 2016
MIME-Version: 1.0
From: Mauro Cazzari <mymagicid@gmail.com>
Date: Thu, 14 Jul 2016 17:32:43 -0400
Message-ID: <CAFUXA2BwFds7zZ_4vKPDhTnBb_wFrw4jqwtmUDk5PAzUHr2RSg@mail.gmail.com>
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I've been trying to figure out whether there is a way for a local user on
Unix to automatically get a ticket when logging onto a server using ssh.
Keep in mind that the KDC being used doesn't interface with LDAP, but it's
rather a standalone KDC. After having added a principle to the KDC for a
test id, I was able to log on to the ssh server and see that a ticket had
been acquired. However, any subsequent logons to other ssh servers generate
no tickets at all. For completeness, the first logon asks for a password,
whereas the others don't. If I force the use of a password for the other
logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
from one server to another getting a new ticket every time.
These are the current settings I have in ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
These are my settings in sshd_config:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
UsePAM yes
Is there anything else that needs to be set in order for tickets to be
automatically generated following a ssh to a server?
Thanks!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
