[27839] in Kerberos
Re: Use ssh key to acquire TGT?
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Thu May 31 22:51:12 2007
Message-ID: <8C51A835039D48A6A1CFA74053B91DE0@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <kerberos@mit.edu>
Date: Thu, 31 May 2007 21:51:02 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Adam Megacz <megacz@hcoop.net> wrote:
> Our (hcoop.net) users love their new AFS homedirs, but are complaining
> a lot about ssh public keys not working the way they're accustomed to.
> Telling them to "kinit" after logging in doesn't quite cut it either.
>
> We're aware that this goes against the grain of kerberos security, but
> without something like this users will just start hardcoding their
> plaintext password into scripts, which is even worse. At least with
> ssh keys we can urge them to password-encrypt their on-disk private
> keys.
How exactly is having a private key password different from simply
telling the user to kinit ONCE on their local machine before attempting
to SSH to your Kerberized machines?
Also, you could rig up a login script (or PAM) that used a local keytab
file to obtain AFS tickets automatically at sucessful login. Not sure
if you'd have to assume that someone logging as the local UNIX user
automatically means that user would have to the matching AFS identity.
You would also have issues of users keeping their passwords and the
keytabs up to date or otherwise differentiating between the keytab login
and their real Kerberos identity.
This might be question to ask on the AFS mailing lists instead of the
Kerberos ones.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
