Request for help: How do I get tickets to these workstations?
Oliver Loch
o.loch at gmx.net
Mon Jun 4 16:38:07 EDT 2012
Hi,
you can forward the kerberos credentials over ssh.
OpenSSH has the setting:
GSSAPIDelegateCredentials
So the client get's a tgt, logs in to the server and the tgt is forwarded to the server and available there.
It's a client (!) setting. IIRC Putty supports that too.
KR,
Oliver
Am 04.06.2012 um 21:15 schrieb Jan-Piet Mens:
> I need a bit of help, please for the following scenario: a bunch of
> workstations (PCs, on the left) currently connect via SSH to a
> semi-trusted bastion host, from which users jump onto machines in a
> truested environment. This design cannot be changed.
>
> +----+ +---------+ +--------+
> | +-- SSH -> semi +-- SSH -> trusted|
> | PC | | trusted | | |
> +----+ +---------+ +---^----+
> |
> +---+----+
> | KDC |
> | |
> +--------+
>
> Users now hop onto the semi-trusted system and invoke `kinit', but they
> have to do this for each and every SSH session.
>
> The initial SSH connection is from a foreign network, and I'd like these
> workstations to obtain TGT from the designated KDC. The PCs run a flavor
> of Windows, so KfW is what I need.
>
> I suppose the question I'm asking is: is there something like a Kerberos
> proxy I could install on the "semi-trusted" system from which the PCs
> would get their tickets? Alternatively, how much risk would I be
> undergoing if I added an additional KDC on the semi-trusted system?
>
> Hoping I'm making some sort of sense.
>
> Regards,
>
> -JP
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list