using a ssh key for krb5 mount

Nicolas Williams Nicolas.Williams at oracle.com
Mon May 17 11:28:41 EDT 2010


On Mon, May 17, 2010 at 05:02:31PM +0200, Richard Smits wrote:
> But my question is, is this possible ? Obtaining a krb5 ticket with ssh 
> public/private key mechanism ?

SSHv2 supports the use of Kerberos via the GSS-API.  Putty, OpenSSH,
SunSSH, Van Dyke, and various other implementations all support that,
and that is what you should use (plus credential delegation).

The only way to do what you actually propose would be by having PKINIT
user certificates whose subject public keys are also the users' SSH
public keys or by adding a PKIX-agent to go with ssh-agent.  That is not
a common usage, and so not supported by any software that I know, but it
is technically doable.  The more complex issue is: how to authenticate
to a remote server using SSH public keys, forwand an ssh-agent, and get
the remote server to automatically obtain a TGT using PKINIT and your
forwarded agent.  Nothing supports that to my knowledge.

Nico
-- 



More information about the Kerberos mailing list