Windows clients will handle this automatically by giving the user the kerberos password prompt. In that case it's done in the kerb library. For unix (and mac) clients this doesn't happen. The easiest solution is to wrap the ssh binary with an expiration checker tool. Another route is to deploy a tgt checker daemon (eg Solaris has this by default), which operates outside of ssh entirely. The user will get prompts on his desktop when the TGT expires or is close to expiring, also generally the tool allows for auto renewal.
On Fri, Feb 15, 2013 at 4:44 AM, Paul DiSciascio <[email protected]>wrote: > Hi, > I have deployed a kerberos infrastructure with multiple KDCs. In the > event that a user attempts to log in to a server via ssh with an expired > tgt, the behavior is to check each KDC and then fail. The overall > process takes about 10 seconds, after which ssh moves on to other > authentication types (password, rsa, etc), but it does this silently. > >From the user's perspective it seems like things are just slow. Is > there any way to modify configuration such that the user receives a > message that the tgt is expired? Would this be a function of ssh or the > krb libraries/utils? I can envision a few ways to script around this, > but I was hoping there's a more elegant solution. > > Thanks, > Paul > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
