On Mon, 2010-05-17 at 11:02 -0400, Richard Smits wrote: > But my question is, is this possible ? Obtaining a krb5 ticket with ssh > public/private key mechanism ? > > I think not ... but you never know .. Does krb5 always wants a password ?
Generally speaking, no. If it were possible, then your ssh server would be able to masquerade as any user by simply pretending that someone logged in with an appropriate ssh private key. There is actually a mechanism to allow that kind of authentication protocol transfer, if the server is trusted. It originated with Microsoft and is alternately called S4U2Proxy or Constrained Delegation. However, using it in sshd would require additional code, and getting the SSH people to accept additional Kerberos code is basically impossible. Nico's PKINIT scenario is similarly outlandish from an implementation point of view, although it does have the advantage of placing less trust in the ssh server. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
