[27866] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Use ssh key to acquire TGT?

daemon@ATHENA.MIT.EDU (Adam Megacz)
Sat Jun 2 14:39:43 2007

To: kerberos@mit.edu
From: Adam Megacz <megacz@hcoop.net>
Date: Sat, 02 Jun 2007 11:03:09 -0700
Message-ID: <x3y7j2nsiq.fsf@nowhere.com>
Mime-Version: 1.0
X-Complaints-To: usenet@sea.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>> Hrm, last I checked there was no RFC, just an internet-draft.
> RFC 4456
> http://www.ietf.org/rfc/rfc4556.txt

Wow, sweet.  What is the implementation status in current KDC's (MIT
and Heimdal)?

Currently my thinking is to patch pam_krb5 and add a flag that causes
it to use $SSH_AUTH_SOCK to contact the user's ssh-agent, and get the
agent to sign the PKINIT protocol requests.  This way the pam stack:

  pam_ssh_agent
  pam_krb5
  pam_afs_session

should do everything automatically.

  - a

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[27866] in Kerberos

Re: Use ssh key to acquire TGT?

daemon@ATHENA.MIT.EDU (Adam Megacz)Sat Jun 2 14:39:43 2007

daemon@ATHENA.MIT.EDU (Adam Megacz)
Sat Jun 2 14:39:43 2007