[37574] in Kerberos
Re: A way to automatically get a ticket through ssh for a local user
daemon@ATHENA.MIT.EDU (Diogenes S. Jesus)
Fri Jul 15 04:39:20 2016
MIME-Version: 1.0
In-Reply-To: <CAFUXA2BwFds7zZ_4vKPDhTnBb_wFrw4jqwtmUDk5PAzUHr2RSg@mail.gmail.com>
From: "Diogenes S. Jesus" <splash@gmail.com>
Date: Fri, 15 Jul 2016 10:38:42 +0200
Message-ID: <CAD8MJvBb2cyrBmpW30bK-oiAZ_6e0eY0+CpHD05TbNvOxa2rpw@mail.gmail.com>
To: Mauro Cazzari <mymagicid@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi
Apart from what the others said, don't forget your sshd server must have
"GSSAPIAuthentication yes" on your sshd_config - the default is no.
Dio
On Thu, Jul 14, 2016 at 11:32 PM, Mauro Cazzari <mymagicid@gmail.com> wrote:
> I've been trying to figure out whether there is a way for a local user on
> Unix to automatically get a ticket when logging onto a server using ssh.
> Keep in mind that the KDC being used doesn't interface with LDAP, but it's
> rather a standalone KDC. After having added a principle to the KDC for a
> test id, I was able to log on to the ssh server and see that a ticket had
> been acquired. However, any subsequent logons to other ssh servers generate
> no tickets at all. For completeness, the first logon asks for a password,
> whereas the others don't. If I force the use of a password for the other
> logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
> from one server to another getting a new ticket every time.
> These are the current settings I have in ssh_config:
> Host *
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> These are my settings in sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> UsePAM yes
> Is there anything else that needs to be set in order for tickets to be
> automatically generated following a ssh to a server?
> Thanks!
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
--------
Diogenes S. de Jesus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
