Re: Automatically forwarding fresh Kerberos tickets?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 





On 3/22/2016 8:50 AM, Basney, Jim wrote:
On 3/21/16, 8:55 PM, John Devitofranceschi wrote:
In an environment where users use smart cards to authenticate on Windows
and then use ssh to login to UNIX systems via GSSAPI, it is nigh
impossible to renew/refresh the Kerberos credentials in the UNIX session.
If the user fails to renew their credentials before they expire, the user
is stuck and must log out and log back in to get valid tickets.

Meanwhile it is entirely likely that on the Windows desktop where they
ssh'd from, fresh credentials have been served up constantly (when
unlocking the screen, for example).

Might it be possible to modify OpenSSH to configure the client to
automatically forward fresh Kerberos credentials to the target session
(assuming the sshd on the target has been modified to accept such
updates)? Or is this a change that the current implementation just
couldn¹t allow?

Does the Cascading Credentials capability in Simon Wilkinson's OpenSSH
Kerberos/GSSAPI patch (http://www.sxw.org.uk/computing/patches/openssh)
provide the desired functionality?

Sure looks like it should.
On Ubuntu 14.4 with OpenSSH_6.6.1p1:
 man sshd_config  lists GssapiStoreCredentialsOnRekey
 man ssh_config   lists GSSAPIRenewalForcesRekey



-Jim

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux