TGT forwarding when cross-realm auth?

Jeffrey Hutzelman jhutz at cmu.edu
Sat Jun 4 19:15:36 EDT 2005



On Saturday, June 04, 2005 09:46:42 AM +0200 vadim 
<vadim.tarassov at swissonline.ch> wrote:


> 1) we (realm A) do not trust realm B and do not want credentials from
> realm A to be saved on that filesystem.

Then you need to configure your ssh client not to forward credentials to 
hosts in realm B, or else be careful not to ssh to hosts in realm B when 
you have credentials you don't want to forward there.

Ideally, you'd be able to set your ssh client so it would not forward 
credentials from realm A, but would be willing to forward credentials from 
realm B.  However, I am not aware of any ssh client that offers such a 
feature -- usually, the decision is made based solely on the name of the 
server host.


> 2) we however still want users to login from A to B without entering
> passwords.

That's fine; you do not need to forward credentials in order to get a 
Kerberos-authenticated SSH connection.  GSSAPI authentication and 
credential delegation (forwarding) are generally configured separately for 
just this reason.



However, the only way to get a krbtgt/B at B TGT is either to forward one you 
already have, or to obtain one from the realm B KDC either by typing a 
password or by using a keytab file containing your key.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA



More information about the Kerberos mailing list