[OpenAFS] Kerberos and SSH2
Sergio Gelato
Sergio.Gelato@astro.su.se
Wed, 24 Mar 2004 23:15:22 +0100
* Frank Burkhardt [2004-03-24 10:58:10 +0100]:
> is it possible to use TGT(1)- or/and Token-Forwarding over SSH2?
OpenSSH 3.8p1 implements the gssapi-with-mic mechanism of the latest
Internet Draft (rev. -07), with Kerberos 5 as the only currently
supported GSS mechanism. This does include credential delegation,
i.e. in this case TGT forwarding. I've tested it and it works; am
in the process of deploying it. With Heimdal, you can even use the
KerberosGetAFSToken to get an AFS token on login. With MIT, one way
is to invoke aklog or rquivalent from a child process of sshd.
Not yet implemented is GSS key exchange, and the gssapi-keyex combined
key exchange and authentication mechanism. Some people are said to be
working on it. An advantage of GSS key exchange is that one no longer
needs host keys, known_hosts files, etc; the host/* service principals
together with the rest of the Kerberos infrastructure provide sufficient
server authentication to the client.
>
> (1) MIT-Kerberos5
>
> Regards,
>
> Frank
>
>