[27844] in Kerberos
Re: Use ssh key to acquire TGT?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jun 1 01:44:57 2007
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <x33b1c9r4l.fsf@nowhere.com> (Adam Megacz's message of "Thu, 31
May 2007 22:32:26 -0700")
Date: Thu, 31 May 2007 22:44:43 -0700
Message-ID: <877iqow7n8.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Adam Megacz <megacz@hcoop.net> writes:
>>> Because you have to kinit once **per realm**.
>> Well, if the passwords are differnet you can't get around that.
> As they should be, because I do not want to entrust the admins of any
> of the systems I use with knowledge of the password for my account on
> other systems.
The most practical short-term solution to this problem is to do something
akin to the Apple keychain. Store the passwords of all these different
Kerberos principals in an encrypted file protected by a private key (or
whatever else is convenient), and then wrap kinit with something that
decrypts that password store and walks through the principals, obtaining
each TGT.
In the long run, what you want, protocol-wise, is a new Kerberos preauth
mechanism that can be used to authenticate to the KDC, similar to PKINIT.
PKINIT already exists and is already standardized, so using X.509
certificates is much easier than using ssh private keys. I expect there
will be significant protocol issues to work through using ssh public keys
for a preauth mechanism (such as how to communicate the TGT back to the
client securely).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
