This is a discussion on Re: Hostbased authentication without known_hosts file? - openssh ; * Douglas E. Engert [2008-10-27 11:11:26 -0500]: > > > Dominik Epple wrote: >> Hi, >> >> On Mon, 27 Oct 2008, Damien Miller wrote: >>> Kerberos >> >> This requires the users to obtain a ticket, I guess? > ...
* Douglas E. Engert [2008-10-27 11:11:26 -0500]:
> Dominik Epple wrote:
>> On Mon, 27 Oct 2008, Damien Miller wrote:
>> This requires the users to obtain a ticket, I guess?
> Yes. You would need a Kerberos realm setup with users principals,and host
> principals. Each host has to have a keytab file. One way to use this
> is the user gets a ticket on the client, then you use the GSSAPI
> options of ssh. There are Windows ssh clients like SecureCRT and some versions
> of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
> have tickets.
Don't you also need Simon Wilkinson's GSSAPI key exchange patch for
OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat
since many distributors already apply that patch, but as far as I know
the feature isn't included in vanilla OpenSSH yet.
>> Or is there a
>> way to do password-less, ticket-less hostbased authentication which
>> just uses kerberos host keys instead of ssh host keys to validate
>> the remote host?
In principle that ought to be feasible with a helper program similar to
ssh-keysign that accesses a keytab and uses its contents to initiate the
GSS exchange, but I don't think anyone has implemented it yet.
(I don't find it a particularly desirable feature: I'd rather
authenticate the user than the client host.)
Another solution might be for you to use rsh over IPsec (and either a
public-key infrastructure or Kerberos to establish the security associations;
PKI is more widely supported).
openssh-unix-dev mailing list