Passing Kerberos TGT (ticket-granting ticket) to remote hosts with ssh18/11/2009
Kerberos uses tickets to grant access to resources on a Kerberos-enabled computer. If you want to login (via SSH) to a remote host and you don’t want to re-execute the kinit command after you login, you can just forward your ticket with your ssh client. Two steps are needed to do this – given that your Kerberos client is configured:
- Create a Kerberos forwardable ticket to your machine
- and, forward your ticket while logging in to the remote machine.
In order to create a forwardable ticket execute kinit with the “-f” argument. e.g.:
pythoagoras:~ asteriosk$ kinit -f Please enter the password for firstname.lastname@example.org:
In order to tell the ssh client to forward your ticket to the remote machine, you have to configure it accordingly. The easiest way to do it is to include two directives in your ssh client configuration file which is in .ssh/config (create one if there its not there).
chercheurs2-235:~ asteriosk$ more ~/.ssh/config Host domain.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Of course, substitute domain.com and username accordingly to match your configuration. This works for both Linux and Mac OS X clients.