Use ssh key to acquire TGT?

Russ Allbery rra at stanford.edu
Sat Jun 2 14:50:53 EDT 2007


Adam Megacz <megacz at hcoop.net> writes:
> Jeffrey Altman <jaltman at secure-endpoints.com> writes:

>>> Hrm, last I checked there was no RFC, just an internet-draft.

>> RFC 4456
>> http://www.ietf.org/rfc/rfc4556.txt

> Wow, sweet.  What is the implementation status in current KDC's (MIT and
> Heimdal)?

Heimdal supports PKINIT as of the 0.8 release.  Support for PKINIT in MIT
Kerberos is scheduled, I believe, for the 1.7 release and is currently
available on a branch.

> Currently my thinking is to patch pam_krb5 and add a flag that causes it
> to use $SSH_AUTH_SOCK to contact the user's ssh-agent, and get the agent
> to sign the PKINIT protocol requests.  This way the pam stack:

>   pam_ssh_agent
>   pam_krb5
>   pam_afs_session

> should do everything automatically.

pam_krb5 does already have PKINIT support, so I recommend reviewing how
that support is structured and seeing if you can take advantage of it.  If
you can minimize the impact of these changes, I'm happy to take patches to
enable this sort of thing in pam_krb5, although I don't really want to
take a lot of code specific to ssh public keys.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list