Use ssh key to acquire TGT?
Christopher D. Clausen
cclausen at acm.org
Thu May 31 22:51:02 EDT 2007
Adam Megacz <megacz at hcoop.net> wrote:
> Our (hcoop.net) users love their new AFS homedirs, but are complaining
> a lot about ssh public keys not working the way they're accustomed to.
> Telling them to "kinit" after logging in doesn't quite cut it either.
>
> We're aware that this goes against the grain of kerberos security, but
> without something like this users will just start hardcoding their
> plaintext password into scripts, which is even worse. At least with
> ssh keys we can urge them to password-encrypt their on-disk private
> keys.
How exactly is having a private key password different from simply
telling the user to kinit ONCE on their local machine before attempting
to SSH to your Kerberized machines?
Also, you could rig up a login script (or PAM) that used a local keytab
file to obtain AFS tickets automatically at sucessful login. Not sure
if you'd have to assume that someone logging as the local UNIX user
automatically means that user would have to the matching AFS identity.
You would also have issues of users keeping their passwords and the
keytabs up to date or otherwise differentiating between the keytab login
and their real Kerberos identity.
This might be question to ask on the AFS mailing lists instead of the
Kerberos ones.
<<CDC
More information about the Kerberos
mailing list