Future of kerberised telnet, login, rsh, ftp?

Russ Allbery rra at stanford.edu
Thu Jul 7 18:10:36 EDT 2005

John Rudd <jrudd at ucsc.edu> writes:

> AFAIK, I wouldn't be able to take a kerberos ticket on my local machine,
> use it to authenticate to sshd on a remote host, forward the ticket to
> the remote host, and have the remote host immediately take that
> forwarded ticket and get me an AFS token.  I'm not aware of any way to
> do that only using ssh (at least not with a pre-canned one -- installing
> patches that wont apply against any and every version of OpenSSH is not
> an acceptable solution).

OpenSSH can do this via GSSAPI with the included GSSAPI support, I think
(I think that ticket forwarding was included in the patches that OpenSSH
took).  You need a PAM module that acquires AFS tokens from a K5 ticket,
you need to configure sshd to use PAM, and you need to configure ssh to
forward tickets.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list