A way to automatically get a ticket through ssh for a local user
Diogenes S. Jesus
splash at gmail.com
Sun Jul 17 06:20:06 EDT 2016
I've recently encountered with this "limitation" when trying to bootstrap
systems to use SSSD+GSSAPI (Kerberos) when they are first provisioned using
ssh-key (e.g. Openstack).
Once you go pubkey, GSSAPI cred forwarding isn't available in this
context.. and that's a bit frustrating, but that's the way things are.
On Sat, Jul 16, 2016 at 2:26 AM, Brandon Allbery <ballbery at sinenomine.net>
wrote:
> Last time I looked at the openssh source code, turning them on could
> interfere with the GSSAPI code: notably, it could cause the “old style”
> ticket forwarding hack to be attempted instead of GSSAPI credential
> delegation, which will fail with GSSAPI credentials.
>
> On 7/15/16, 01:39, "kerberos-bounces at MIT.EDU on behalf of Benjamin Kaduk"
> <kerberos-bounces at MIT.EDU on behalf of kaduk at MIT.EDU> wrote:
>
> >KerberosAuthentication yes
> >KerberosOrLocalPasswd yes
> >KerberosTicketCleanup yes
> >#KerberosGetAFSToken no
> >#KerberosUseKuserok yes
>
> As Brandon said, these are old/deprecated and it is unusual for them
> to be
> the desired configuration. But I don't know enough about what you
> want in
> order to be able to say that for sure.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
--------
Diogenes S. de Jesus
More information about the Kerberos
mailing list