Request for help: How do I get tickets to these workstations?

Douglas E. Engert deengert at anl.gov
Tue Jun 5 09:51:22 EDT 2012



On 6/5/2012 1:37 AM, Jan-Piet Mens wrote:
>>> +----+        +---------+        +--------+
>>> |    +-- SSH ->   semi    +-- SSH ->   trusted|
>>> | PC |        | trusted |        |        |
>>> +----+        +---------+        +---^----+
>>>                                        |
>>>                                    +---+----+
>>>                                    |  KDC   |
>>>                                    |        |
>>>                                    +--------+
>
>> I am assuming that the KDC is behind a firewall, and the PC cannot contact the KDC?
>
> Correct. The "semi-trusted" host can contact the KDC; the PC cannot.
>
>> Otherwise KfW and PuTTY with GSSAPI delegation as Oliver pointed out should work.
>
> Yes, I understand that, and thank you both.
>
>>> Users now hop onto the semi-trusted system and invoke `kinit', but they
>>> have to do this for each and every SSH session.
>>
>> And you are not using pam_krb5 on the bastion host either, as the user is doing
>> kinit.
>
> How would using pam_krb5 on the bastion host help? Surely, each SSH
> connection to the bastion host from the PC would re-prompt for
> credentials, because the PC doesn't have a TGT.

The above comments was not meant to mean the pam_krb5 would help your situation,
but was meant to imply that you where willing to use kinit, relying on SSH keys
(I assume) to authenticate to the bastion host and thus requiring two
types of authentication to get past your firewall. Using kinit would also
make it easier to implement shared ticket caches for the users on this host.
As you point out pam_krb5 would require the password on each connection.

>
>>    From a security point of view that is not much different then opening
>> up port 88 of the KDC in your firewall.
>
> I don't think this is an option at the moment.
>
> While we're at it: are there organizations who have Internet-facing KDCs
> or would that be complete madness?
>
> Regards,
>
>          -JP
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list