Suppose I have four computers, Laptop, Server1, Server2, Kerberos server:
- I log in using PuTTY or SSH from L to S1, giving my username / password
- From S1 I then SSH to S2. No password is needed as Kerberos authenticates me
Describe all the important SSH and KRB5 protocol exchanges: "L sends username to S1", "K sends … to S1" etc.
(This question is intended to be community-edited; please improve it for the non-expert reader.)
Best Answer
First login:
pam_krb5
orpam_sss
) requests a TGT (ticket-granting ticket) from the Kerberos KDC.$KRB5CCNAME
environment variable to find the ccache, or useklist
to list its contents.)pam_krb5
is called in authorization stage, it checks whether~/.k5login
exists. If it does, it must list the client Kerberos principal. Otherwise, the only allowed principal isusername@DEFAULT-REALM
.Second login:
host/s2.example.com@EXAMPLE.COM
, by sending a TGS-REQ with the TGT to the KDC, and receiving a TGS-REP with the service ticket from it.Note that you can obtain TGTs locally as well. On Linux, you can do this using
kinit
, then connect usingssh -K
. For Windows, if you are logged in to a Windows AD domain, Windows does that for you; otherwise, MIT Kerberos can be used. PuTTY 0.61 supports using both Windows (SSPI) and MIT (GSSAPI), although you must enable forwarding (delegation) manually.1
gssapi-keyex
is also possible but was not accepted into official OpenSSH.