Hi, I'm looking for some information on what needs to be done to set up OpenSSH in a Linux Kerberos environment. Specifically, here is what I want to do.
I have a machine acting as a SSH/Telnet gateway. Any access to shells on other machines must be obtained by first going through this machine. On this machine, the user receives a Kerberos ticket. When the user connects to another machine, I would like the gateway machine to forward his Kerberos TGT to the new host. That host would then obtain a Kerberos ticket on behalf of the user, obtain AFS tokens, and give the user a shell, without having to enter the password again. In essence, I would like the user to, once past the gateway, be able to hop from box to box, obtaining tickets and AFS token on each machine as necessary. I already have set up the login service through the pam_krb5 and pam_openafs_session modules. It works fine. User logs in, gets kerberos ticket and AFS tokens, logs out, they are destroyed. I have set up the ssh service using pam_krb5 as well, but this makes me nervous, as PAM is known to haunt sysadmins from time to time. However, it appears to work mostly as advertised. Except, the ticket forwarding does not seem to work. (The user is asked for a password on each machine.) So here are a few things: 1) Is there anything fundamentally wrong with this idea from a security standpoint? I know PAM may be a bad idea for network services, but can anyone give some specific reasons why, especially with regards to Kerberos? 2) I installed the ssh-krb5 package (Debian), which is a OpenSSH package with integrated GSSAPI support. However, I'm not sure what to do to get it to use Kerberos for authentication, or for the ticket forwarding to work. I tried enabling and disabling all the various GSSAPI and Kerberos options in the sshd_config, and restarting the server each time, with always the same results: user is asked for a password, and it doesn't accept his Kerberos password. However, if I add the pam_krb5 to the pam module stack for the ssh service, it works just as the regular ssh daemon does. So, if anyone could shed some light on this, that would be great. I'm having trouble finding much good documentation wrt these topics. Thanks! ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
