Request for help: How do I get tickets to these workstations?

Douglas E. Engert deengert at
Mon Jun 4 17:39:15 EDT 2012

On 6/4/2012 2:15 PM, Jan-Piet Mens wrote:
> I need a bit of help, please for the following scenario: a bunch of
> workstations (PCs, on the left) currently connect via SSH to a
> semi-trusted bastion host, from which users jump onto machines in a
> truested environment. This design cannot be changed.
> +----+        +---------+        +--------+
> |    +-- SSH ->  semi    +-- SSH ->  trusted|
> | PC |        | trusted |        |        |
> +----+        +---------+        +---^----+
>                                       |
>                                   +---+----+
>                                   |  KDC   |
>                                   |        |
>                                   +--------+

I am assuming that the KDC is behind a firewall, and the PC cannot contact the KDC?
Otherwise KfW and PuTTY with GSSAPI delegation as Oliver pointed out should work.

> Users now hop onto the semi-trusted system and invoke `kinit', but they
> have to do this for each and every SSH session.

And you are not using pam_krb5 on the bastion host either, as the user is doing

If the problem is they have to do kinit every time and you are willing to
have them do it once a day or so, you could use the fact that the ticket
cache when saved on disk is owned by the user, and a user could have a common
ticket cache shared by all their sessions. Some systems set the KRB5CCNAME
to a different file name each time. You could use the default of
/tmp/krb5cc_<uid> Just make sure that when the first ssh session ends
it does not destroy the ticket cache.

> The initial SSH connection is from a foreign network, and I'd like these
> workstations to obtain TGT from the designated KDC. The PCs run a flavor
> of Windows, so KfW is what I need.
> I suppose the question I'm asking is: is there something like a Kerberos
> proxy I could install on the "semi-trusted" system from which the PCs
> would get their tickets? Alternatively, how much risk would I be
> undergoing if I added an additional KDC on the semi-trusted system?

 From a security point of view that is not much different then opening
up port 88 of the KDC in your firewall.

You could use a VPN from the PC to inside your firewall.

> Hoping I'm making some sort of sense.
> Regards,
>          -JP
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list