ssh-krb5 problems

dkuhl dkuhl at paritysys.net
Wed Sep 22 09:58:49 EDT 2004


	Valid point about the user though.  The user does need to exist on the 
target machine.  I tend to create them with "adduser --disabled-password 
<username>" so that the kerberos ticket is the only method by which they 
can access the machine.  Limits the entry.

D.


David Kuhl
Parity Systems
dkuhl at paritysys.com
-----------------------



rachel elizabeth dillon wrote:
> I just tested this properly with a 1.3.4 implementation I built for someone else
> recently; I was incorrect. The only time that the KDC is not queried is if you
> do not have tickets to begin with. If you have valid realm tickets but try to
> log in with something like "ssh -l fakename valid.host.com", the KDC will 
> be queried. I expect this is probably reasonable behavior in both cases.
> (The KDC _will_ be queried if you are using PAM to authenticate via Kerberos
> with password-interactive, also.)
> 
> Sorry to mislead; I tested briefly but didn't actually check to see if I had
> tickets before I did so.
> 
> -r.
> 
> 
> On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
> 
>>On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
>>
>>>1. Are you trying to ssh as a user that exists on the other machine?
>>>If the user does not exist in the other machine's /etc/passwd, then
>>>I don't believe the KDC will ever be queried.
>>
>>That sounds like an undesirable leak of information from the server, if 
>>that's true.
>>
>>Ken
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list