On Thu, 14 Jul 2016, Mauro Cazzari wrote: > I've been trying to figure out whether there is a way for a local user on > Unix to automatically get a ticket when logging onto a server using ssh.
This terminology is sufficiently vague that I'm not entirely sure what behavior you actually want. By "ticket", do you mean "fresh TGT", "service ticket for host/<ssh-server>", or something else? Do you expect the local user to have to enter a password when logging into the server? > Keep in mind that the KDC being used doesn't interface with LDAP, but it's > rather a standalone KDC. After having added a principle to the KDC for a > test id, I was able to log on to the ssh server and see that a ticket had > been acquired. However, any subsequent logons to other ssh servers generate > no tickets at all. For completeness, the first logon asks for a password, > whereas the others don't. If I force the use of a password for the other > logons, then a ticket gets regularly generated. Ideally, I'd like to ssh This sounds consistent with pam_krb5 being in the stack on the server, since it can use the supplied password to obtain a TGT for the ensuing session. (But is it what you want?) > from one server to another getting a new ticket every time. > These are the current settings I have in ssh_config: > Host * > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > GSSAPIKeyExchange yes > These are my settings in sshd_config: > # Kerberos options > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > #KerberosGetAFSToken no > #KerberosUseKuserok yes As Brandon said, these are old/deprecated and it is unusual for them to be the desired configuration. But I don't know enough about what you want in order to be able to say that for sure. -Ben > # GSSAPI options > #GSSAPIAuthentication no > GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > > UsePAM yes > Is there anything else that needs to be set in order for tickets to be > automatically generated following a ssh to a server? > Thanks! > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos