A way to automatically get a ticket through ssh for a local user
Mauro Cazzari
mymagicid at gmail.com
Thu Jul 14 17:32:43 EDT 2016
I've been trying to figure out whether there is a way for a local user on
Unix to automatically get a ticket when logging onto a server using ssh.
Keep in mind that the KDC being used doesn't interface with LDAP, but it's
rather a standalone KDC. After having added a principle to the KDC for a
test id, I was able to log on to the ssh server and see that a ticket had
been acquired. However, any subsequent logons to other ssh servers generate
no tickets at all. For completeness, the first logon asks for a password,
whereas the others don't. If I force the use of a password for the other
logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
from one server to another getting a new ticket every time.
These are the current settings I have in ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
These are my settings in sshd_config:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
UsePAM yes
Is there anything else that needs to be set in order for tickets to be
automatically generated following a ssh to a server?
Thanks!
More information about the Kerberos
mailing list