using a ssh key for krb5 mount
Greg Hudson
ghudson at MIT.EDU
Mon May 17 11:34:11 EDT 2010
On Mon, 2010-05-17 at 11:02 -0400, Richard Smits wrote:
> But my question is, is this possible ? Obtaining a krb5 ticket with ssh
> public/private key mechanism ?
>
> I think not ... but you never know .. Does krb5 always wants a password ?
Generally speaking, no. If it were possible, then your ssh server would
be able to masquerade as any user by simply pretending that someone
logged in with an appropriate ssh private key.
There is actually a mechanism to allow that kind of authentication
protocol transfer, if the server is trusted. It originated with
Microsoft and is alternately called S4U2Proxy or Constrained Delegation.
However, using it in sshd would require additional code, and getting the
SSH people to accept additional Kerberos code is basically impossible.
Nico's PKINIT scenario is similarly outlandish from an implementation
point of view, although it does have the advantage of placing less trust
in the ssh server.
More information about the Kerberos
mailing list