[27868] in Kerberos
Re: Use ssh key to acquire TGT?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Jun 2 14:51:00 2007
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <x3y7j2nsiq.fsf@nowhere.com> (Adam Megacz's message of "Sat, 02
Jun 2007 11:03:09 -0700")
Date: Sat, 02 Jun 2007 11:50:53 -0700
Message-ID: <87ira6fawi.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Adam Megacz <megacz@hcoop.net> writes:
> Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>>> Hrm, last I checked there was no RFC, just an internet-draft.
>> RFC 4456
>> http://www.ietf.org/rfc/rfc4556.txt
> Wow, sweet. What is the implementation status in current KDC's (MIT and
> Heimdal)?
Heimdal supports PKINIT as of the 0.8 release. Support for PKINIT in MIT
Kerberos is scheduled, I believe, for the 1.7 release and is currently
available on a branch.
> Currently my thinking is to patch pam_krb5 and add a flag that causes it
> to use $SSH_AUTH_SOCK to contact the user's ssh-agent, and get the agent
> to sign the PKINIT protocol requests. This way the pam stack:
> pam_ssh_agent
> pam_krb5
> pam_afs_session
> should do everything automatically.
pam_krb5 does already have PKINIT support, so I recommend reviewing how
that support is structured and seeing if you can take advantage of it. If
you can minimize the impact of these changes, I'm happy to take patches to
enable this sort of thing in pam_krb5, although I don't really want to
take a lot of code specific to ssh public keys.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
