dkuhl at paritysys.net
Wed Sep 22 09:58:49 EDT 2004
Valid point about the user though. The user does need to exist on the
target machine. I tend to create them with "adduser --disabled-password
<username>" so that the kerberos ticket is the only method by which they
can access the machine. Limits the entry.
dkuhl at paritysys.com
rachel elizabeth dillon wrote:
> I just tested this properly with a 1.3.4 implementation I built for someone else
> recently; I was incorrect. The only time that the KDC is not queried is if you
> do not have tickets to begin with. If you have valid realm tickets but try to
> log in with something like "ssh -l fakename valid.host.com", the KDC will
> be queried. I expect this is probably reasonable behavior in both cases.
> (The KDC _will_ be queried if you are using PAM to authenticate via Kerberos
> with password-interactive, also.)
> Sorry to mislead; I tested briefly but didn't actually check to see if I had
> tickets before I did so.
> On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
>>On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
>>>1. Are you trying to ssh as a user that exists on the other machine?
>>>If the user does not exist in the other machine's /etc/passwd, then
>>>I don't believe the KDC will ever be queried.
>>That sounds like an undesirable leak of information from the server, if
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos