Automatically forwarding fresh Kerberos tickets?

Douglas E Engert deengert at gmail.com
Wed Mar 23 01:40:35 AEDT 2016



On 3/22/2016 8:50 AM, Basney, Jim wrote:
> On 3/21/16, 8:55 PM, John Devitofranceschi wrote:
>> In an environment where users use smart cards to authenticate on Windows
>> and then use ssh to login to UNIX systems via GSSAPI, it is nigh
>> impossible to renew/refresh the Kerberos credentials in the UNIX session.
>> If the user fails to renew their credentials before they expire, the user
>> is stuck and must log out and log back in to get valid tickets.
>>
>> Meanwhile it is entirely likely that on the Windows desktop where they
>> ssh'd from, fresh credentials have been served up constantly (when
>> unlocking the screen, for example).
>>
>> Might it be possible to modify OpenSSH to configure the client to
>> automatically forward fresh Kerberos credentials to the target session
>> (assuming the sshd on the target has been modified to accept such
>> updates)? Or is this a change that the current implementation just
>> couldn¹t allow?
>
> Does the Cascading Credentials capability in Simon Wilkinson's OpenSSH
> Kerberos/GSSAPI patch (http://www.sxw.org.uk/computing/patches/openssh)
> provide the desired functionality?

Sure looks like it should.
On Ubuntu 14.4 with OpenSSH_6.6.1p1:
  man sshd_config  lists GssapiStoreCredentialsOnRekey
  man ssh_config   lists GSSAPIRenewalForcesRekey


>
> -Jim
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>



More information about the openssh-unix-dev mailing list