Re: dfs/dce and openssh

Simon Wilkinson wrote:
>
> On 10 May 2007, at 12:21, Douglas E. Engert wrote:
>> Perry Smith wrote:
>>> I searched google and did not find any hits on this being solved.
>>>
>>> I want to get ssh so I can the dsa/rsa style password it in an
>>> environment that uses dfs/dce authentication if that is possible (and
>>> it has not already been solved). In other words, I want to be able
>>> to log into a host as a dfs/dce user without typing my password.
>>
>>
>> DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation
>> should also work, so you can get tickets for DFS.
>
> The problem here is that you can't use OpenSSH's DSA/RSA key-based
> authentication and still have credentials on the machine that you've
> logged in to. I don't know enough about DCE to be able to comment on
> that specific case, but in a standard Kerberos environment, you'd need
> to run 'kinit' after login in order to have credentials. There's no way
> (that I'd want to deploy) of getting around this.
>

DFS is like AFS on steroids, but you need Kerberos tickets to access DFS.
So the answer to "I want to be able to log into a host as a dfs/dce user
without typing my password." is no. But with GSSAPI and Kerberos
you should only have to do this once a day (kinit), on the machine in
front of you.
(I have not used DCE/DFS in about 5 years when we turned it off and went
back to AFS.) DCE had an early Kerberos PKINIT support, so you might be
able to use PKINIT to avoid typing a password.



> Simon.
>
>

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev