Automatically forwarding fresh Kerberos tickets?

Basney, Jim jbasney at illinois.edu
Wed Mar 23 00:50:41 AEDT 2016


On 3/21/16, 8:55 PM, John Devitofranceschi wrote:
>In an environment where users use smart cards to authenticate on Windows
>and then use ssh to login to UNIX systems via GSSAPI, it is nigh
>impossible to renew/refresh the Kerberos credentials in the UNIX session.
>If the user fails to renew their credentials before they expire, the user
>is stuck and must log out and log back in to get valid tickets.
>
>Meanwhile it is entirely likely that on the Windows desktop where they
>ssh'd from, fresh credentials have been served up constantly (when
>unlocking the screen, for example).
>
>Might it be possible to modify OpenSSH to configure the client to
>automatically forward fresh Kerberos credentials to the target session
>(assuming the sshd on the target has been modified to accept such
>updates)? Or is this a change that the current implementation just
>couldn¹t allow?

Does the Cascading Credentials capability in Simon Wilkinson's OpenSSH
Kerberos/GSSAPI patch (http://www.sxw.org.uk/computing/patches/openssh)
provide the desired functionality?

-Jim



More information about the openssh-unix-dev mailing list