ssh with expired tgt

Paul DiSciascio thenut at bytemonkey.net
Fri Feb 15 07:44:45 EST 2013


Hi,
  I have deployed a kerberos infrastructure with multiple KDCs.  In the
event that a user attempts to log in to a server via ssh with an expired
tgt, the behavior is to check each KDC and then fail.  The overall
process takes about 10 seconds, after which ssh moves on to other
authentication types (password, rsa, etc), but it does this silently.
>From the user's perspective it seems like things are just slow.  Is
there any way to modify configuration such that the user receives a
message that the tgt is expired?  Would this be a function of ssh or the
krb libraries/utils?  I can envision a few ways to script around this,
but I was hoping there's a more elegant solution.

Thanks,
Paul




More information about the Kerberos mailing list