Use ssh key to acquire TGT?

Christopher D. Clausen cclausen at
Thu May 31 22:51:02 EDT 2007

Adam Megacz <megacz at> wrote:
> Our ( users love their new AFS homedirs, but are complaining
> a lot about ssh public keys not working the way they're accustomed to.
> Telling them to "kinit" after logging in doesn't quite cut it either.
> We're aware that this goes against the grain of kerberos security, but
> without something like this users will just start hardcoding their
> plaintext password into scripts, which is even worse.  At least with
> ssh keys we can urge them to password-encrypt their on-disk private
> keys.

How exactly is having a private key password different from simply 
telling the user to kinit ONCE on their local machine before attempting 
to SSH to your Kerberized machines?

Also, you could rig up a login script (or PAM) that used a local keytab 
file to obtain AFS tickets automatically at sucessful login.  Not sure 
if you'd have to assume that someone logging as the local UNIX user 
automatically means that user would have to the matching AFS identity. 
You would also have issues of users keeping their passwords and the 
keytabs up to date or otherwise differentiating between the keytab login 
and their real Kerberos identity.

This might be question to ask on the AFS mailing lists instead of the 
Kerberos ones.


More information about the Kerberos mailing list