Request for help: How do I get tickets to these workstations?

Jan-Piet Mens jpmens.dns at
Mon Jun 4 15:15:33 EDT 2012

I need a bit of help, please for the following scenario: a bunch of
workstations (PCs, on the left) currently connect via SSH to a
semi-trusted bastion host, from which users jump onto machines in a
truested environment. This design cannot be changed. 

+----+        +---------+        +--------+
|    +-- SSH -> semi    +-- SSH -> trusted|
| PC |        | trusted |        |        |
+----+        +---------+        +---^----+
                                 |  KDC   |
                                 |        |

Users now hop onto the semi-trusted system and invoke `kinit', but they
have to do this for each and every SSH session.

The initial SSH connection is from a foreign network, and I'd like these
workstations to obtain TGT from the designated KDC. The PCs run a flavor
of Windows, so KfW is what I need.

I suppose the question I'm asking is: is there something like a Kerberos
proxy I could install on the "semi-trusted" system from which the PCs
would get their tickets? Alternatively, how much risk would I be
undergoing if I added an additional KDC on the semi-trusted system?

Hoping I'm making some sort of sense.



More information about the Kerberos mailing list