User: Password:
|
|
Subscribe / Log in / New account

SSH: passwords or keys?

SSH: passwords or keys?

Posted Jan 14, 2010 22:15 UTC (Thu) by paulj (subscriber, #341)
In reply to: SSH: passwords or keys? by mmcgrath
Parent article: SSH: passwords or keys?

Hi,

Do you mean:

a) 1 user accessing services authenticated via 2 separate Kerberos systems?

or

b) Kerberos systems co-operating, such that 1 system will accept user
credentials issued by the other?

The former is really easy. The user can authenticate with multiple kerberos
realms quite easily, just by specifying different ticket caches when using kinit
(I open a new session and set KRB5CCNAME).

The latter is cross-realm authentication and requires joint-administrative
fiddling to setup.

I think you mean the former, which is not a problem at all.


(Log in to post comments)

SSH: passwords or keys?

Posted Jan 14, 2010 22:26 UTC (Thu) by mmcgrath (guest, #44906) [Link]

> a) 1 user accessing services authenticated via 2 separate Kerberos systems?

Yeah I mean that. We have kerberos at $DAYJOB. The real concern isn't so much that someone technical (myself) could get it working. But more to make sure that people less technical (say, an art designer in their first year of college) could access both locations without confusion.

Some contributors get confused just generating ssh key pairs.

SSH: passwords or keys?

Posted Jan 14, 2010 22:53 UTC (Thu) by foom (subscriber, #14868) [Link]

> The former is really easy. The user can authenticate with multiple kerberos
> realms quite easily, just by specifying different ticket caches when using kinit
> (I open a new session and set KRB5CCNAME).

You call that *easy*??

However, IIRC from last I used kerberos, you can actually kinit to multiple realms just fine without
setting random environment variables.

SSH: passwords or keys?

Posted Jan 15, 2010 12:27 UTC (Fri) by paulj (subscriber, #341) [Link]

It's not random, it's documented in the kinit manual page.

You need an environment variable really, otherwise every krb5-or-GSS using
client you run needs to have an explicit option (argument, conf file, and/or in the
UI) to specify the ticket cache.

It's not as transparent as using having SSH keys though, unfortunately.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds