You got me digging into this again :) I found the alternative ssh implementation: pkixssh https://gitlab.com/secsh/pkixssh Not sure I'd be brave enough though.
Peter ________________________________________ From: Kroon PC, Peter via FreeIPA-users <[email protected]> Sent: Wednesday, 9 April 2025 10:43 To: [email protected] Cc: Ronald Wimmer; Kroon PC, Peter Subject: [Freeipa-users] Re: IPA pubkey auth and NFS KRB5 Hi Ron, On paper, and technically, I do think this would be the best solution. Like I wrote originally however, you need a modified ssh(d) to forward access to the certificate/smartcard to allow pkinit to get your kerberos ticket (as far as I understand it). See also this kerberos mail thread: https://comp.protocols.kerberos.narkive.com/tktb96dW/using-a-ssh-key-for-krb5-mount This also seems intelligent: https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-December/037433.html I don't have time to go through the full thread right now, but it seems to hold important puzzel pieces. As for using a certificate for kerberos auth, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_smart_card_authentication/index, and your further google term will be pkinit. Peter ________________________________________ > From: Ronald Wimmer via FreeIPA-users <[email protected]> > Sent: Wednesday, 9 April 2025 09:53 To: [email protected] Cc: Ronald Wimmer Subject: [Freeipa-users] Re: IPA pubkey auth and NFS KRB5 On 09.04.25 09:41, Ronald Wimmer via FreeIPA-users wrote: > On 14.02.25 10:35, Kroon PC, Peter wrote: >> - You can authenticate to kerberos using a certificate > > If this is true I could use pubkey auth for SSH and an user cert for > Kerberos, right? This idea does not sound too bad... So how to obtain a cert is here: https://www.freeipa.org/page/V4/User_Certificates#using-freeipa-dogtag-pki-to-issue-user-certificates But how would I use such a cert for Kerberos auth? -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
