Forwarding Kerberos Credentials - SSH

Frank Cusack fcusack at
Thu Jun 19 23:21:18 EDT 2003

On Thu, 19 Jun 2003 10:22:50 -0700 Donn Cave <donn at> wrote:
> unfortunately it doesn't interoperate with the approach to
> Kerberos 5 for protocol 2.

Which, AIUI, was rejected in the ietf for being deficient.  Regardless
of any deficiencies (or not) in the approach, the GSSAPI
approach is superior.  I won't go into the reasons why, interested
readers can do some Google research.

> Secondly I think the term "forwarding" doesn't apply to the scenarios
> I'm reading about here.  If you log in to sshd with your Kerberos
> password, the remote credentials acquired in the process are actually
> local in this sense - they reside on the host that acquired them, as

Right.  That's not what the poster wants.  That's not kerberos
authentication, that's password authentication.

> sshd did that.  When used to authenticate to some service from there,
> that's just simple basic Kerberos authentication, no forwarding needed.

The original poster wants to login LOCALLY with krb5, ssh to a remote
machine with KERBEROS authentication; the forwarding is needed so that
on the remote machine he can subsequently obtain tickets for xyz service
(say, afs).


More information about the Kerberos mailing list