I know the idea will make some people recoil in horror, but are there any KDCs or patches out there that do this?
The idea would be that the KDC would issue a TGT to any user who could prove they had posession of the private key corresponding to one of the user's ~/.ssh/authorized_keys (assume for simplicity that the KDC has copies of these). I know there are solutions out there for generating a TGT in response to other authentication mechanisms (secureid, etc), so this can't be *that* crazy. Our (hcoop.net) users love their new AFS homedirs, but are complaining a lot about ssh public keys not working the way they're accustomed to. Telling them to "kinit" after logging in doesn't quite cut it either. We're aware that this goes against the grain of kerberos security, but without something like this users will just start hardcoding their plaintext password into scripts, which is even worse. At least with ssh keys we can urge them to password-encrypt their on-disk private keys. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos