Use ssh key to acquire TGT?

Adam Megacz megacz at
Thu May 31 22:14:50 EDT 2007

I know the idea will make some people recoil in horror, but are there
any KDCs or patches out there that do this?

The idea would be that the KDC would issue a TGT to any user who could
prove they had posession of the private key corresponding to one of
the user's ~/.ssh/authorized_keys (assume for simplicity that the KDC
has copies of these).

I know there are solutions out there for generating a TGT in response
to other authentication mechanisms (secureid, etc), so this can't be
*that* crazy.

Our ( users love their new AFS homedirs, but are complaining
a lot about ssh public keys not working the way they're accustomed to.
Telling them to "kinit" after logging in doesn't quite cut it either.

We're aware that this goes against the grain of kerberos security, but
without something like this users will just start hardcoding their
plaintext password into scripts, which is even worse.  At least with
ssh keys we can urge them to password-encrypt their on-disk private

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380

More information about the Kerberos mailing list