I'm setting up a more integrated Kerberos environment around here (Kerberos,
Secure NFS, passwordless logins using SSH, multiple Kerberos domains, etc) and
I've stumbled upon a couple of annoying things...
1. Why-o-why can't the tools handle multiple concurrent Kerberos domains
("kinit user at OTHERDOMAIN" to get a ticket for the other domain will remove
my ticket
for my local domain - which I'm needing to get SecureNFS to work... Not good
:-)?
2. If I use "ssh user at host.otherdomain" that also uses Kerberos then I will
get a
ticket just fine after I've entered my password. Unfortunately that ticket
isn't forwardable
so Secure NFS will fail when I ssh to some other host at that site... A manual
"kinit -f"
after I've logged in works, but it's really annoying for users... (CDE seems to
generate a forwardable ticket by default). Can't seem to find anything
configurable in Suns sshd (or
an option to ssh) to change this behaviour.
3. Any plans to get rid of the /tmp/krb5cc_ files and put them into the kernel
(or a daemon)?
How do other people implement Kerberos + SecureNFS + transparent remote logins
between
computers so that we don't drive people insane with endless password prompts?
:-)
This message posted from opensolaris.org
