SSH mediated Kerberos authenticated sudo.

Frank Cusack frank+krb at
Mon May 16 13:10:29 EDT 2011

On Fri, May 13, 2011 at 12:08 AM, <g.w at> wrote:

> The next release will have a PAM module which handles the
> authentication of the forwarded AP-REQ packet.  That will eliminate
> the need for the sudo patch and provide a general mechanism for any
> application to leverage this system.

That sounds great.

> If the remote application can't be trusted it would seem there is a
> much higher risk associated with running that application then the
> possibility of it obtaining an application specific credential which
> authenticates the user.  If the infra-structure was forwarding a TGT
> it would be a different story since in this era of addressless
> tickets that would be a much more valuable entity to obtain.

I think one thing that can be done is that since this is a
special/distinguished message, not just stdin/stdout handling, the client
can display a special dialog ala ssh-askpass.  As long as X forwarding isn't
on, the client has assurance that they are actually providing their password
locally.  If X forwarding is on, the server could still mock up a display.
Of course this would only work at all for clients that can offer more than a

If your point is that it may not matter, then why bother with the credential
forwarding at all?  If the remote application must be trusted then surely it
can be trusted to handle passwords.  Although, I can imagine a use case
where the server can't contact the KDC on its own, due to network
limitations such as being in a DMZ.

More information about the krbdev mailing list