3

My university uses Kerberos-based authentication for login to our unix servers.

One way to get passwordless login is to run kinit, type my password, and then run ssh@host.

For this setup, I do the following inside my .ssh/config:

Host SchoolHost1 SchoolHost2 GSSAPIKeyExchange yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes

My question is, can I skip the kinit step and run ssh directly , in such a way that the first attempt to ssh will automatically grab a kerberos ticket so that subsequent attempts to ssh will have the ticket and not require a password?

Update: Public Key login is not supported by the University's system, because the server cannot read authorized_keys file before the login. This is a property of the Kerberos / AFS system for which there is really no workaround.

Improve this question
2
  • Can you not just exchange the pub/private keys for SSH and login using those instead? Commented Mar 11, 2014 at 12:57
  • The whole reason why I am going through this Kerberos crap is because the University's machines do not support public keys login. Commented Mar 11, 2014 at 19:11

2 Answers 2

Reset to default
2

On your laptop, I'd redefine ssh in your ~/.bash_login or ~/.bashrc file

ssh () { kinit -R || kinit -r 8days command ssh "$@" }

to refresh your ticket if possible, otherwise make a fresh one - if your AFS site policy agrees.

Public key login is possible but only as a last resort if you really truly cannot Kerberize your laptop - on the ssh server, move secret keys (if any) from ~/.ssh/ to ~/.ssh/private/, chmod 700 and fs setacl to secure your private keys, fs listacl ~/.ssh/private/ to double check only you have access, finally make ~/.ssh and ~/.ssh/authorized_keys world readable so sshd can see them to log you in - but until you do something like ( kinit -R || kinit -r 8days ) && aklog; klist you'll lack AFS access - so scp can see /tmp/ but not /afs/ - if you work out how to get tickets after scp logs in and before it accesses files, please let me know!

Improve this answer
0

Yes, you can do this with a quick script:

#!/bin/bash klist || kinit ssh user@host

Put this in your PATH and run it instead of ssh.

This works by using the klist utility. If you have no active tickets, then klist will fail and kinit will be run. If you have an active ticket, then klist will succeed and kinit will not be run.

I haven't tested this thoroughly, so there are probably enormous problems with it.

Improve this answer
1
  • I think you want to add the option -s to the klist, which suppresses it printing out output when you do have a valid key. I made an alias ssh='klist -s || kinit && ssh' which seems to be working, but there may well be problems I haven't caught Commented Feb 23, 2015 at 8:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.