using a ssh key for krb5 mount
Ken Raeburn
raeburn at MIT.EDU
Mon May 17 11:33:41 EDT 2010
On May 17, 2010, at 11:02, Richard Smits wrote:
> But now we have a user who wants to authenticate from home with his ssh
> private/public key. His public key is in his homedir. (Which is not
> mounted yet)
>
> If the user logges in, this mechanism works for a couple of hours.
> (ticket is valid then)
>
> But my question is, is this possible ? Obtaining a krb5 ticket with ssh
> public/private key mechanism ?
No. For the basic Kerberos protocol, you need a single shared secret between the user and the KDC; a public/private key pair not known to the KDC won't do.
There is the PKINIT "preauthentication" system in Kerberos, which uses certificates.
One could perhaps rig something up where certificates are created using the same keys as used for SSH, but it needs to be signed by an authority that the KDC trusts, and the user would need to keep that signed certificate around, so there's really not much point in trying to tie it to the SSH keys. And if the user's still stuck with the horrible inconvenience of running Kerberos at home, PKINIT vs "regular" Kerberos may not make much of a difference.
Ken
More information about the Kerberos
mailing list