Re: Automatically forwarding fresh Kerberos tickets?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 3/21/16, 8:55 PM, John Devitofranceschi wrote:
>In an environment where users use smart cards to authenticate on Windows
>and then use ssh to login to UNIX systems via GSSAPI, it is nigh
>impossible to renew/refresh the Kerberos credentials in the UNIX session.
>If the user fails to renew their credentials before they expire, the user
>is stuck and must log out and log back in to get valid tickets.
>
>Meanwhile it is entirely likely that on the Windows desktop where they
>ssh'd from, fresh credentials have been served up constantly (when
>unlocking the screen, for example).
>
>Might it be possible to modify OpenSSH to configure the client to
>automatically forward fresh Kerberos credentials to the target session
>(assuming the sshd on the target has been modified to accept such
>updates)? Or is this a change that the current implementation just
>couldn¹t allow?

Does the Cascading Credentials capability in Simon Wilkinson's OpenSSH
Kerberos/GSSAPI patch (http://www.sxw.org.uk/computing/patches/openssh)
provide the desired functionality?

-Jim

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux