A way to automatically get a ticket through ssh for a local user
Brandon Allbery
ballbery at sinenomine.net
Thu Jul 14 18:25:50 EDT 2016
On 7/14/16, 17:32, "kerberos-bounces at mit.edu on behalf of Mauro Cazzari" <kerberos-bounces at mit.edu on behalf of mymagicid at gmail.com> wrote:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
I would turn these off; they refer to an older Kerberos API in ssh and may interfere with GSSAPI.
The others look correct. Note that if it is using public key authentication to get to the next server, it will not use the Kerberos code and therefore won’t forward (delegate) credentials to the next server. (Also note that if there are other matching Host blocks, the “Host *” block in ssh_config won’t be used.
More information about the Kerberos
mailing list