[nycbug-talk] FreeIPA
Okan Demirmen
okan at demirmen.com
Thu May 19 17:12:00 EDT 2011
On Thu 2011.05.19 at 20:39 +0000, Pete Wright wrote:
> On Thu, May 19, 2011 at 02:57:31PM -0400, Edward Capriolo wrote:
> > Pete,
> >
> > I was under the impression that the Kerberos +SSH setup you describe above
> > requires a kerberos capable SSH Client. Is that correct? If so do all SSH
> > tools like putty support this? That was the problem I was getting at, that
> > in the environment I was in I was not able to control the SSH client, or the
> > web browser in use, so even though technically SSH and HTTP support this.
> > You can not count on a tool like putty, or someone favourite FTP client to
> > have Kerberos.
> >
>
> i know on FreeBSD (and iirc OpenBSD), as well as RHEL/CentOS linux krb
> auth is enabled by default for openssh. i can not speak for non-openssh
> implementations though.
Right.
Also note there are *two* ways:
- do the kinit dance on your local machine and pass the ticket along.
- have sshd use kerberos for authentication.
The latter is what most people will want to do.
More information about the talk
mailing list