Request for help: How do I get tickets to these workstations?
Jan-Piet Mens
jpmens.dns at gmail.com
Mon Jun 4 15:15:33 EDT 2012
I need a bit of help, please for the following scenario: a bunch of
workstations (PCs, on the left) currently connect via SSH to a
semi-trusted bastion host, from which users jump onto machines in a
truested environment. This design cannot be changed.
+----+ +---------+ +--------+
| +-- SSH -> semi +-- SSH -> trusted|
| PC | | trusted | | |
+----+ +---------+ +---^----+
|
+---+----+
| KDC |
| |
+--------+
Users now hop onto the semi-trusted system and invoke `kinit', but they
have to do this for each and every SSH session.
The initial SSH connection is from a foreign network, and I'd like these
workstations to obtain TGT from the designated KDC. The PCs run a flavor
of Windows, so KfW is what I need.
I suppose the question I'm asking is: is there something like a Kerberos
proxy I could install on the "semi-trusted" system from which the PCs
would get their tickets? Alternatively, how much risk would I be
undergoing if I added an additional KDC on the semi-trusted system?
Hoping I'm making some sort of sense.
Regards,
-JP
More information about the Kerberos
mailing list