TGT forwarding when cross-realm auth?
Jeffrey Hutzelman
jhutz at cmu.edu
Sat Jun 4 19:15:36 EDT 2005
On Saturday, June 04, 2005 09:46:42 AM +0200 vadim
<vadim.tarassov at swissonline.ch> wrote:
> 1) we (realm A) do not trust realm B and do not want credentials from
> realm A to be saved on that filesystem.
Then you need to configure your ssh client not to forward credentials to
hosts in realm B, or else be careful not to ssh to hosts in realm B when
you have credentials you don't want to forward there.
Ideally, you'd be able to set your ssh client so it would not forward
credentials from realm A, but would be willing to forward credentials from
realm B. However, I am not aware of any ssh client that offers such a
feature -- usually, the decision is made based solely on the name of the
server host.
> 2) we however still want users to login from A to B without entering
> passwords.
That's fine; you do not need to forward credentials in order to get a
Kerberos-authenticated SSH connection. GSSAPI authentication and
credential delegation (forwarding) are generally configured separately for
just this reason.
However, the only way to get a krbtgt/B at B TGT is either to forward one you
already have, or to obtain one from the realm B KDC either by typing a
password or by using a keytab file containing your key.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list