Forwarding Kerberos Credentials - SSH
fcusack at fcusack.com
Thu Jun 19 23:21:18 EDT 2003
On Thu, 19 Jun 2003 10:22:50 -0700 Donn Cave <donn at u.washington.edu> wrote:
> unfortunately it doesn't interoperate with the ssh.com approach to
> Kerberos 5 for protocol 2.
Which, AIUI, was rejected in the ietf for being deficient. Regardless
of any deficiencies (or not) in the ssh.com approach, the GSSAPI
approach is superior. I won't go into the reasons why, interested
readers can do some Google research.
> Secondly I think the term "forwarding" doesn't apply to the scenarios
> I'm reading about here. If you log in to sshd with your Kerberos
> password, the remote credentials acquired in the process are actually
> local in this sense - they reside on the host that acquired them, as
Right. That's not what the poster wants. That's not kerberos
authentication, that's password authentication.
> sshd did that. When used to authenticate to some service from there,
> that's just simple basic Kerberos authentication, no forwarding needed.
The original poster wants to login LOCALLY with krb5, ssh to a remote
machine with KERBEROS authentication; the forwarding is needed so that
on the remote machine he can subsequently obtain tickets for xyz service
More information about the Kerberos