GSSAPI Issue

Russ Allbery rra at stanford.edu
Wed Nov 24 13:55:33 EST 2010


Greg Hudson <ghudson at MIT.EDU> writes:

> It is possible to forward credentials from the client to the server.
> For this to work, the following must be true:

> * You must have obtained forwardable tickets on the client.  You can do
> this with kinit -f, or by setting "forwardable = true" in the
> [libdefaults] section of krb5.conf.

> * "GSSAPIDelegateCredentials yes" must be set in ssh_config, or
> specified on the command line with ssh -o GSSAPIDelegateCredentials=yes.

ssh -K is a shortcut for the latter and lets you choose for each ssh
command whether you want to forward tickets.  I usually only use the ssh
setting for specific hosts I use a lot and explicitly add the -K when I
want to forward tickets to other hosts.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list