[37576] in Kerberos
Re: A way to automatically get a ticket through ssh for a local user
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mark_Pr=c3=b6hl?=)
Fri Jul 15 07:21:03 2016
To: kerberos@mit.edu
From: =?UTF-8?Q?Mark_Pr=c3=b6hl?= <mark@mproehl.net>
Message-ID: <5788C71F.4010307@mproehl.net>
Date: Fri, 15 Jul 2016 13:21:03 +0200
MIME-Version: 1.0
In-Reply-To: <5D8D7E75-0525-4AA4-B39F-1F3B6E3EEF3D@sinenomine.net>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 07/15/2016 12:25 AM, Brandon Allbery wrote:
> On 7/14/16, 17:32, "kerberos-bounces@mit.edu on behalf of Mauro Cazzari" <kerberos-bounces@mit.edu on behalf of mymagicid@gmail.com> wrote:
>
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes
>
>
> I would turn these off; they refer to an older Kerberos API in ssh and may interfere with GSSAPI.
>
> The others look correct. Note that if it is using public key authentication to get to the next server, it will not use the Kerberos code and therefore won’t forward (delegate) credentials to the next server. (Also note that if there are other matching Host blocks, the “Host *” block in ssh_config won’t be used.
>
>
and remember that tickets need to be flagged as forwardable (i.e. "kinit
-f ..." or by setting "forwardable = true" in /etc/krb5.conf,
[libdefaults])
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
