I know the idea will make some people recoil in horror, but are there
any KDCs or patches out there that do this?
The idea would be that the KDC would issue a TGT to any user who could
prove they had posession of the private key corresponding to one of
the user's ~/.ssh/authorized_keys (assume fo
Adam Megacz <[EMAIL PROTECTED]> wrote:
> Our (hcoop.net) users love their new AFS homedirs, but are complaining
> a lot about ssh public keys not working the way they're accustomed to.
> Telling them to "kinit" after logging in doesn't quite cut it either.
>
> We're aware that this goes against the
"Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
> How exactly is having a private key password different from simply
> telling the user to kinit ONCE on their local machine before attempting
> to SSH to your Kerberized machines?
Because you have to kinit once **per realm**.
Most users als
Adam Megacz <[EMAIL PROTECTED]> wrote:
> "Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
>> How exactly is having a private key password different from simply
>> telling the user to kinit ONCE on their local machine before
>> attempting to SSH to your Kerberized machines?
>
> Because you have
Adam Megacz <[EMAIL PROTECTED]> writes:
>>> Because you have to kinit once **per realm**.
>> Well, if the passwords are differnet you can't get around that.
> As they should be, because I do not want to entrust the admins of any
> of the systems I use with knowledge of the password for my accoun
>> Because you have to kinit once **per realm**.
> Well, if the passwords are differnet you can't get around that.
As they should be, because I do not want to entrust the admins of any
of the systems I use with knowledge of the password for my account on
other systems.
> And wouldn't a user nee
> One of these days I'm going to request (for HCOOP) crossrealm trusts
> with the top 10 computer science universities in the USA [*] and
> document (a) my success rate, (b) how many emails it took, and (c) how
> many months from first request to working trust entry. Hopefully a
> published case
On Fri, Jun 01, 2007 at 06:59:04AM -0500, John Hascall wrote:
>
> But, your point is well taken. Perhaps
> what would be more useful is if somebody
> like educase served as a central crossrealm
> hub (everyone exchanges keys with them and
> gets a current capaths file).
>
I've often considered
>One of these days I'm going to request (for HCOOP) crossrealm trusts
>with the top 10 computer science universities in the USA [*] and
>document (a) my success rate, (b) how many emails it took, and (c) how
>many months from first request to working trust entry. Hopefully a
>published case study
Adam Megacz <[EMAIL PROTECTED]> writes:
> Date:Thu, 31 May 2007 19:14:50 PDT
> To: kerberos@mit.edu
> From:Adam Megacz <[EMAIL PROTECTED]>
> Subject: Use ssh key to acquire TGT?
>
> I know the idea will make some people recoil in horror, but are there
&
Thanks for taking the time to reply, Russ.
Russ Allbery <[EMAIL PROTECTED]> writes:
> PKINIT already exists and is already standardized,
Hrm, last I checked there was no RFC, just an internet-draft.
> so using X.509 certificates is much easier than using ssh private
> keys.
Perhaps for adminis
Ken Hornstein <[EMAIL PROTECTED]> writes:
> I may be an extreme case, but I have 20 cross-realm keys.
How many of those keys belong to administratively independent
organizations (ie if your home realm is part of .mil, how many of
those keys are for civilian organizations?) I'll readily concede t
John Hascall <[EMAIL PROTECTED]> writes:
> How many of the top-10 use Kerberos?
> And what exactly is the top-10 (which list?)(
> For the sale of argument lets say they are:
Well, based on AFS usage (which requires Kerberos right now), all of
the schools on your list except UT Austin must have a
Adam Megacz wrote:
> Thanks for taking the time to reply, Russ.
>
> Russ Allbery <[EMAIL PROTECTED]> writes:
>> PKINIT already exists and is already standardized,
>
> Hrm, last I checked there was no RFC, just an internet-draft.
RFC 4456
http://www.ietf.org/rfc/rfc4556.txt
>> so using X.509 certifi
Adam Megacz <[EMAIL PROTECTED]> writes:
> John Hascall <[EMAIL PROTECTED]> writes:
>> How many of the top-10 use Kerberos? And what exactly is the top-10
>> (which list?)( For the sale of argument lets say they are:
> Well, based on AFS usage (which requires Kerberos right now), all of
> the sch
Adam Megacz <[EMAIL PROTECTED]> wrote:
> John Hascall <[EMAIL PROTECTED]> writes:
>> How many of the top-10 use Kerberos?
>> And what exactly is the top-10 (which list?)(
>> For the sale of argument lets say they are:
>
> Well, based on AFS usage (which requires Kerberos right now), all of
> the sc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri 2007-06-01 13:32:56 -0400, Jeffrey Altman wrote:
> I do want to state that as a KDC administrator would have serious
> concerns with the use of SSH keys as a method of authenticating a
> user to my realm. Users do not generate unique keys for
"Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
> UIUC has AFS? Is there some other UIUC that I don't know about?
Hrm, I was going by the fact that ncsa.uiuc.edu and acm.uiuc.edu are
both in the CellServDB that comes with OpenAFS (and appear to work),
but I guess those might be sub-campus-l
Jeffrey Altman <[EMAIL PROTECTED]> writes:
>> Hrm, last I checked there was no RFC, just an internet-draft.
> RFC 4456
> http://www.ietf.org/rfc/rfc4556.txt
Wow, sweet. What is the implementation status in current KDC's (MIT
and Heimdal)?
Currently my thinking is to patch pam_krb5 and add a fla
Adam Megacz <[EMAIL PROTECTED]> writes:
> "Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
>> UIUC has AFS? Is there some other UIUC that I don't know about?
> Hrm, I was going by the fact that ncsa.uiuc.edu and acm.uiuc.edu are
> both in the CellServDB that comes with OpenAFS (and appear to
Adam Megacz <[EMAIL PROTECTED]> writes:
> Jeffrey Altman <[EMAIL PROTECTED]> writes:
>>> Hrm, last I checked there was no RFC, just an internet-draft.
>> RFC 4456
>> http://www.ietf.org/rfc/rfc4556.txt
> Wow, sweet. What is the implementation status in current KDC's (MIT and
> Heimdal)?
Heimda
>How many of those keys belong to administratively independent
>organizations (ie if your home realm is part of .mil, how many of
>those keys are for civilian organizations?)
There are a few ones that are ambiguous, but the highest number of .mil
related cross-realm keys are 12, which leaves 8 tha
Russ Allbery <[EMAIL PROTECTED]> wrote:
> Adam Megacz <[EMAIL PROTECTED]> writes:
>> "Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
>>> UIUC has AFS? Is there some other UIUC that I don't know about?
>
>> Hrm, I was going by the fact that ncsa.uiuc.edu and acm.uiuc.edu are
>> both in the Cel
John Hascall <[EMAIL PROTECTED]> wrote:
>> One of these days I'm going to request (for HCOOP) crossrealm trusts
>> with the top 10 computer science universities in the USA [*] and
>> document (a) my success rate, (b) how many emails it took, and (c)
>> how many months from first request to working
> Lets say that there were Kerberos cross-realm trusts created between
> these various organizations. Would that really help? The original
> point was to gain access to the AFS filesystem. Just logging onto the
> machine is possible now using SSH keys. Do other sites use AFS
> "foreign" us
>Lets say that there were Kerberos cross-realm trusts created between
>these various organizations. Would that really help? The original
>point was to gain access to the AFS filesystem. Just logging onto the
>machine is possible now using SSH keys. Do other sites use AFS
>"foreign" users th
26 matches
Mail list logo
