Automatically forwarding fresh Kerberos tickets?
John Devitofranceschi
foonon at gmail.com
Tue Mar 22 12:55:13 AEDT 2016
In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets.
Meanwhile it is entirely likely that on the Windows desktop where they ssh'd from, fresh credentials have been served up constantly (when unlocking the screen, for example).
Might it be possible to modify OpenSSH to configure the client to automatically forward fresh Kerberos credentials to the target session (assuming the sshd on the target has been modified to accept such updates)? Or is this a change that the current implementation just couldn’t allow?
jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160321/2feb9f12/attachment.bin>
More information about the openssh-unix-dev
mailing list