[37577] in Kerberos
Re: A way to automatically get a ticket through ssh for a local user
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Fri Jul 15 20:26:35 2016
From: Brandon Allbery <ballbery@sinenomine.net>
To: Benjamin Kaduk <kaduk@mit.edu>, Mauro Cazzari <mymagicid@gmail.com>
Date: Sat, 16 Jul 2016 00:26:15 +0000
Message-ID: <E6F9FD20-9CDE-4AAA-8F22-1FC6DE3F74E2@sinenomine.net>
In-Reply-To: <alpine.GSO.1.10.1607150136260.5272@multics.mit.edu>
Content-Language: en-US
Content-ID: <B72AB320CCA3BF449D1AC577250F3F38@mex09.mlsrvr.com>
MIME-Version: 1.0
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Last time I looked at the openssh source code, turning them on could interfere with the GSSAPI code: notably, it could cause the “old style” ticket forwarding hack to be attempted instead of GSSAPI credential delegation, which will fail with GSSAPI credentials.
On 7/15/16, 01:39, "kerberos-bounces@MIT.EDU on behalf of Benjamin Kaduk" <kerberos-bounces@MIT.EDU on behalf of kaduk@MIT.EDU> wrote:
>KerberosAuthentication yes
>KerberosOrLocalPasswd yes
>KerberosTicketCleanup yes
>#KerberosGetAFSToken no
>#KerberosUseKuserok yes
As Brandon said, these are old/deprecated and it is unusual for them to be
the desired configuration. But I don't know enough about what you want in
order to be able to say that for sure.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
