A way to automatically get a ticket through ssh for a local user

Benjamin Kaduk kaduk at MIT.EDU
Fri Jul 15 01:39:12 EDT 2016 

On Thu, 14 Jul 2016, Mauro Cazzari wrote:

> I've been trying to figure out whether there is a way for a local user on
> Unix to automatically get a ticket when logging onto a server using ssh.

This terminology is sufficiently vague that I'm not entirely sure what
behavior you actually want.

By "ticket", do you mean "fresh TGT", "service ticket for
host/<ssh-server>", or something else?

Do you expect the local user to have to enter a password when logging into
the server?

> Keep in mind that the KDC being used doesn't interface with LDAP, but it's
> rather a standalone KDC. After having added a principle to the KDC for a
> test id, I was able to log on to the ssh server and see that a ticket had
> been acquired. However, any subsequent logons to other ssh servers generate
> no tickets at all. For completeness, the first logon asks for a password,
> whereas the others don't. If I force the use of a password for the other
> logons, then a ticket gets regularly generated. Ideally, I'd like to ssh

This sounds consistent with pam_krb5 being in the stack on the server,
since it can use the supplied password to obtain a TGT for the ensuing
session.  (But is it what you want?)

> from one server to another getting a new ticket every time.
> These are the current settings I have in ssh_config:
> Host *
>         GSSAPIAuthentication yes
>         GSSAPIDelegateCredentials yes
>         GSSAPIKeyExchange yes
> These are my settings in sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes

As Brandon said, these are old/deprecated and it is unusual for them to be
the desired configuration.  But I don't know enough about what you want in
order to be able to say that for sure.

-Ben

> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> UsePAM yes
> Is there anything else that needs to be set in order for tickets to be
> automatically generated following a ssh to a server?
> Thanks!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list