Request for help: How do I get tickets to these workstations?
Jan-Piet Mens
jpmens.dns at gmail.com
Tue Jun 5 02:37:20 EDT 2012
> > +----+ +---------+ +--------+
> > | +-- SSH -> semi +-- SSH -> trusted|
> > | PC | | trusted | | |
> > +----+ +---------+ +---^----+
> > |
> > +---+----+
> > | KDC |
> > | |
> > +--------+
> I am assuming that the KDC is behind a firewall, and the PC cannot contact the KDC?
Correct. The "semi-trusted" host can contact the KDC; the PC cannot.
> Otherwise KfW and PuTTY with GSSAPI delegation as Oliver pointed out should work.
Yes, I understand that, and thank you both.
> > Users now hop onto the semi-trusted system and invoke `kinit', but they
> > have to do this for each and every SSH session.
>
> And you are not using pam_krb5 on the bastion host either, as the user is doing
> kinit.
How would using pam_krb5 on the bastion host help? Surely, each SSH
connection to the bastion host from the PC would re-prompt for
credentials, because the PC doesn't have a TGT.
> From a security point of view that is not much different then opening
> up port 88 of the KDC in your firewall.
I don't think this is an option at the moment.
While we're at it: are there organizations who have Internet-facing KDCs
or would that be complete madness?
Regards,
-JP
More information about the Kerberos
mailing list