Use ssh key to acquire TGT?

Russ Allbery rra at stanford.edu
Fri Jun 1 01:44:43 EDT 2007


Adam Megacz <megacz at hcoop.net> writes:

>>> Because you have to kinit once **per realm**.

>> Well, if the passwords are differnet you can't get around that.

> As they should be, because I do not want to entrust the admins of any
> of the systems I use with knowledge of the password for my account on
> other systems.

The most practical short-term solution to this problem is to do something
akin to the Apple keychain.  Store the passwords of all these different
Kerberos principals in an encrypted file protected by a private key (or
whatever else is convenient), and then wrap kinit with something that
decrypts that password store and walks through the principals, obtaining
each TGT.

In the long run, what you want, protocol-wise, is a new Kerberos preauth
mechanism that can be used to authenticate to the KDC, similar to PKINIT.
PKINIT already exists and is already standardized, so using X.509
certificates is much easier than using ssh private keys.  I expect there
will be significant protocol issues to work through using ssh public keys
for a preauth mechanism (such as how to communicate the TGT back to the
client securely).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list