Request for help: How do I get tickets to these workstations?

Oliver Loch o.loch at gmx.net
Mon Jun 4 16:38:07 EDT 2012


Hi,

you can forward the kerberos credentials over ssh.

OpenSSH has the setting:

GSSAPIDelegateCredentials

So the client get's a tgt, logs in to the server and the tgt is forwarded to the server and available there.

It's a client (!) setting. IIRC Putty supports that too.

KR,

Oliver


Am 04.06.2012 um 21:15 schrieb Jan-Piet Mens:

> I need a bit of help, please for the following scenario: a bunch of
> workstations (PCs, on the left) currently connect via SSH to a
> semi-trusted bastion host, from which users jump onto machines in a
> truested environment. This design cannot be changed. 
> 
> +----+        +---------+        +--------+
> |    +-- SSH -> semi    +-- SSH -> trusted|
> | PC |        | trusted |        |        |
> +----+        +---------+        +---^----+
>                                     |
>                                 +---+----+
>                                 |  KDC   |
>                                 |        |
>                                 +--------+
> 
> Users now hop onto the semi-trusted system and invoke `kinit', but they
> have to do this for each and every SSH session.
> 
> The initial SSH connection is from a foreign network, and I'd like these
> workstations to obtain TGT from the designated KDC. The PCs run a flavor
> of Windows, so KfW is what I need.
> 
> I suppose the question I'm asking is: is there something like a Kerberos
> proxy I could install on the "semi-trusted" system from which the PCs
> would get their tickets? Alternatively, how much risk would I be
> undergoing if I added an additional KDC on the semi-trusted system?
> 
> Hoping I'm making some sort of sense.
> 
> Regards,
> 
>        -JP
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list