Use ssh key to acquire TGT?
Adam Megacz
megacz at hcoop.net
Fri Jun 1 00:18:42 EDT 2007
"Christopher D. Clausen" <cclausen at acm.org> writes:
> How exactly is having a private key password different from simply
> telling the user to kinit ONCE on their local machine before attempting
> to SSH to your Kerberized machines?
Because you have to kinit once **per realm**.
Most users also have many accounts on many machines that are not part
of HCOOP. Sadly, the world does not revolve around our KDC.
That's the nice part about ssh public keys -- you can use the same
private key to log into any number of servers, even if the server
admins don't have the logistical bandwidth (or political leverage) to
negotiate complicated cross-realm arrangements with each other. Or
even if some of the servers don't use kerberos.
> Also, you could rig up a login script (or PAM) that used a local
> keytab file to obtain AFS tickets automatically at sucessful login.
Yes, unfortunately this would mean that anybody who hacked local root
on any one of the shell servers would instantly have keytabs for every
user. Not good.
Also, I don't know if MIT KDC supports having both a password and a
keytab for a user. I know it's possible in theory, but I think that
feature just isn't there -- creating a keytab erases their password.
Does Heimdal support this?
- a
More information about the Kerberos
mailing list