I have a kerberized SSHD installed on HOST-1, a login server for the outside world. How can I make it so users are still authenticated via kerberos, even though they haven't yet received a ticket? The main reason for this is that a user who is at home, no vpn, but has an ssh client could then login and be authenticated by kerberos using password authentication, get a ticket, then be allowed to ssh(at this point using a kerberized ssh client) to any kerberized sshd host, without entering a password. Is this possible? TIA -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb
On Mon, Mar 25, 2002 at 04:58:31PM -0600, Austin Gonyou wrote:> I have a kerberized SSHD installed on HOST-1, a login server for the > outside world. > > How can I make it so users are still authenticated via kerberos, even > though they haven't yet received a ticket? > > The main reason for this is that a user who is at home, no vpn, but has > an ssh client could then login and be authenticated by kerberos using > password authentication, get a ticket, then be allowed to ssh(at this > point using a kerberized ssh client) to any kerberized sshd host, > without entering a password. > > Is this possible? TIADepending on your platform, you may be able to use PAM and pam_krb5 to achive this effect. Andrew Bartlett
Austin Gonyou <austin at coremetrics.com> writes:> I have a kerberized SSHD installed on HOST-1, a login server for the > outside world. > > How can I make it so users are still authenticated via kerberos, even > though they haven't yet received a ticket? > > The main reason for this is that a user who is at home, no vpn, but has > an ssh client could then login and be authenticated by kerberos using > password authentication, get a ticket, then be allowed to ssh(at this > point using a kerberized ssh client) to any kerberized sshd host, > without entering a password. > > Is this possible? TIAThis should work out of the box. At least it does for me, on a daily basis, exactly as you describe it. -- --- Hans Insulander <hin at stacken.kth.se>, SM0UTY ----------------------- If I've had a dollar for every promise of help from people who've read [ my list of tricky things to fix in OpenBSD ] I would have ... well, at least a few beers. -- Artur Grabowski