Use ssh key to acquire TGT?

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Jun 4 09:15:16 EDT 2007


>Lets say that there were Kerberos cross-realm trusts created between 
>these various organizations.  Would that really help?  The original 
>point was to gain access to the AFS filesystem.  Just logging onto the 
>machine is possible now using SSH keys.  Do other sites use AFS 
>"foreign" users through cross-realm trusts?  I supect that users will 
>dislike the idea of having to change AFS ACLs on a whole bunch of files 
>to add the other "foreign" users.

I can only say that we make heavy use of cross-realm PTS entries.  However,
our situation is a bit different; we don't allow arbitrary principals access
to our accounts (we control which principals can log into our accounts),
so when we allow principal "X" to log into account "Y", we set up the user's
home directory to have the correct ACLs.

--Ken



More information about the Kerberos mailing list