dfs/dce and openssh
Simon Wilkinson
sxw at inf.ed.ac.uk
Fri May 11 10:45:25 EST 2007
>
> I am starting out from a system with Kerberos credientials. I
> don't know what exactly that implies. Does that imply that I don't
> need the RSA/DSA stuff at all and the Kerberos ticket is just passed?
Yes. Providing the server that you're connecting to has a keytab, and
has the key for the host/<hostname> principal in that keytab.
You may need to turn on GSSAPI in the client and server preferences
(GSSAPIAuthentication yes) and turn on delegation on the client
(GSSAPIDelegateCredentials yes). Ideally, if your OpenSSH supports
it, you probably want to use key exchange - but that's not shipped as
standard with OpenSSH, and requires patches to the client and server.
Cheers,
Simon.
More information about the openssh-unix-dev
mailing list