A way to automatically get a ticket through ssh for a local user

Diogenes S. Jesus splash at gmail.com
Fri Jul 15 04:38:42 EDT 2016


Hi

Apart from what the others said, don't forget your sshd server must have
"GSSAPIAuthentication yes" on your sshd_config - the default is no.

Dio

On Thu, Jul 14, 2016 at 11:32 PM, Mauro Cazzari <mymagicid at gmail.com> wrote:

> I've been trying to figure out whether there is a way for a local user on
> Unix to automatically get a ticket when logging onto a server using ssh.
> Keep in mind that the KDC being used doesn't interface with LDAP, but it's
> rather a standalone KDC. After having added a principle to the KDC for a
> test id, I was able to log on to the ssh server and see that a ticket had
> been acquired. However, any subsequent logons to other ssh servers generate
> no tickets at all. For completeness, the first logon asks for a password,
> whereas the others don't. If I force the use of a password for the other
> logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
> from one server to another getting a new ticket every time.
> These are the current settings I have in ssh_config:
> Host *
>         GSSAPIAuthentication yes
>         GSSAPIDelegateCredentials yes
>         GSSAPIKeyExchange yes
> These are my settings in sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> UsePAM yes
> Is there anything else that needs to be set in order for tickets to be
> automatically generated following a ssh to a server?
> Thanks!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 

--------

Diogenes S. de Jesus


More information about the Kerberos mailing list