0

When I log in to a server using OpenSSH, generated the Kerberos ticket on the /tmp/krb5cc_.

1 - how to generate this ticket and where is the conf file to create this ticket?

2 - How to generate the kerberos ticket with a forwardable flag when I log in to a server using OpenSSH?

3 - I want to ssh to 3 different servers via Kerberos ticket. When I log into the server1 using a password, will create the Kerberos ticket for me. After I use this ticket for the ssh to server2 and this ticket following me. Finally, I will passwordless-ssh to server3 using ticket once again.

As a summary I log in use password to server1 after the jump to server2 not using password via Kerberos ticket after then I will ssh without the password to the third server as well as the second server.

Improve this question
1

1 Answer 1

Reset to default
1

in modern linux systems you're using some pam module to that. par of the info you seek is in the man page of said module.

unless you;re on a fedora derived system, the most used one seems to be : https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html search for appefaults in the above page (a section in /etc/krb5.conf).

ccache=<pattern>

would answer the second part of your question number 1, the first part would be the pam module.

forwardable = True

would answer number 2,can be set appdefaults or libdefaults section of /etc/krb5/conf.

number 3 has to do with ssh man ssh or ssh_config would reveal either use -K (ssh -K ) or set GSSAPIDelegateCredentials=yes and GSSAPIAuthentication=yes in ~/.ssh/config (either globally --not a good idea-- or on per host/domain)

see the man pages (ssh, pam_kr5,krb5.conf.kinit) for more info.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .