ssh with expired tgt
Frank Cusack
frank at linetwo.net
Fri Feb 15 15:13:42 EST 2013
Windows clients will handle this automatically by giving the user the
kerberos password prompt. In that case it's done in the kerb library. For
unix (and mac) clients this doesn't happen. The easiest solution is to
wrap the ssh binary with an expiration checker tool. Another route is to
deploy a tgt checker daemon (eg Solaris has this by default), which
operates outside of ssh entirely. The user will get prompts on his desktop
when the TGT expires or is close to expiring, also generally the tool
allows for auto renewal.
On Fri, Feb 15, 2013 at 4:44 AM, Paul DiSciascio <thenut at bytemonkey.net>wrote:
> Hi,
> I have deployed a kerberos infrastructure with multiple KDCs. In the
> event that a user attempts to log in to a server via ssh with an expired
> tgt, the behavior is to check each KDC and then fail. The overall
> process takes about 10 seconds, after which ssh moves on to other
> authentication types (password, rsa, etc), but it does this silently.
> >From the user's perspective it seems like things are just slow. Is
> there any way to modify configuration such that the user receives a
> message that the tgt is expired? Would this be a function of ssh or the
> krb libraries/utils? I can envision a few ways to script around this,
> but I was hoping there's a more elegant solution.
>
> Thanks,
> Paul
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list