GSSAPI Issue
Russ Allbery
rra at stanford.edu
Wed Nov 24 13:55:33 EST 2010
Greg Hudson <ghudson at MIT.EDU> writes:
> It is possible to forward credentials from the client to the server.
> For this to work, the following must be true:
> * You must have obtained forwardable tickets on the client. You can do
> this with kinit -f, or by setting "forwardable = true" in the
> [libdefaults] section of krb5.conf.
> * "GSSAPIDelegateCredentials yes" must be set in ssh_config, or
> specified on the command line with ssh -o GSSAPIDelegateCredentials=yes.
ssh -K is a shortcut for the latter and lets you choose for each ssh
command whether you want to forward tickets. I usually only use the ssh
setting for specific hosts I use a lot and explicitly add the -K when I
want to forward tickets to other hosts.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list