On Saturday, June 04, 2005 09:46:42 AM +0200 vadim <[EMAIL PROTECTED]> wrote:
1) we (realm A) do not trust realm B and do not want credentials from realm A to be saved on that filesystem.
Then you need to configure your ssh client not to forward credentials to hosts in realm B, or else be careful not to ssh to hosts in realm B when you have credentials you don't want to forward there.
Ideally, you'd be able to set your ssh client so it would not forward credentials from realm A, but would be willing to forward credentials from realm B. However, I am not aware of any ssh client that offers such a feature -- usually, the decision is made based solely on the name of the server host.
2) we however still want users to login from A to B without entering passwords.
That's fine; you do not need to forward credentials in order to get a Kerberos-authenticated SSH connection. GSSAPI authentication and credential delegation (forwarding) are generally configured separately for just this reason.
However, the only way to get a krbtgt/[EMAIL PROTECTED] TGT is either to forward one you already have, or to obtain one from the realm B KDC either by typing a password or by using a keytab file containing your key.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
