[37578] in Kerberos
Re: A way to automatically get a ticket through ssh for a local user
daemon@ATHENA.MIT.EDU (Diogenes S. Jesus)
Sun Jul 17 06:20:45 2016
MIME-Version: 1.0
In-Reply-To: <E6F9FD20-9CDE-4AAA-8F22-1FC6DE3F74E2@sinenomine.net>
From: "Diogenes S. Jesus" <splash@gmail.com>
Date: Sun, 17 Jul 2016 12:20:06 +0200
Message-ID: <CAD8MJvD_RgktGQTfWhFds31vJNZjAMrWLew1oaia1m1zpy5x-Q@mail.gmail.com>
To: Brandon Allbery <ballbery@sinenomine.net>
Cc: Mauro Cazzari <mymagicid@gmail.com>, "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I've recently encountered with this "limitation" when trying to bootstrap
systems to use SSSD+GSSAPI (Kerberos) when they are first provisioned using
ssh-key (e.g. Openstack).
Once you go pubkey, GSSAPI cred forwarding isn't available in this
context.. and that's a bit frustrating, but that's the way things are.
On Sat, Jul 16, 2016 at 2:26 AM, Brandon Allbery <ballbery@sinenomine.net>
wrote:
> Last time I looked at the openssh source code, turning them on could
> interfere with the GSSAPI code: notably, it could cause the “old style”
> ticket forwarding hack to be attempted instead of GSSAPI credential
> delegation, which will fail with GSSAPI credentials.
>
> On 7/15/16, 01:39, "kerberos-bounces@MIT.EDU on behalf of Benjamin Kaduk"
> <kerberos-bounces@MIT.EDU on behalf of kaduk@MIT.EDU> wrote:
>
> >KerberosAuthentication yes
> >KerberosOrLocalPasswd yes
> >KerberosTicketCleanup yes
> >#KerberosGetAFSToken no
> >#KerberosUseKuserok yes
>
> As Brandon said, these are old/deprecated and it is unusual for them
> to be
> the desired configuration. But I don't know enough about what you
> want in
> order to be able to say that for sure.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
--------
Diogenes S. de Jesus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
