Getting TGTs non-interactively
Russ Allbery
rra at stanford.edu
Thu Sep 28 20:23:04 EDT 2006
Fredrik Tolf <fredrik at dolda2000.com> writes:
> See, there are a lot of places where one would like to obtain a ticket
> non-interactively. Apart from such places as cron, where there's
> obviously no other choice than to store the key in a keytab, there is
> the problem with SSH public-key authentication. I'm thinking that it
> should somehow be possible to have the SSH client (which has access to
> the private key) decrypt a key for the server, which can then get a TGT
> with that key. Is that possible, or is there any other solution that I
> haven't thought of.
> Similarly, what about HTTPS connections where the client has a client
> certificate? Obviously, there *is* a private key involved, but is there
> any way the HTTP server can ask the client to decrypt a TGT key for it?
Sounds like you want pkinit (Kerberos initial authentication using
public/private key cryptography). This is currently being standardized.
I'm not aware of any fully deployed and robust implementations, but I
haven't been following this area very closely.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list