Subject: Re: ssh - are you nuts?!?
To: None <firstname.lastname@example.org>
From: Chris Jones <email@example.com>
Date: 12/20/2000 09:47:43
> On 17 Dec, Jason R Thorpe wrote:
> > To be fair, you can also have this with Kerberos 5 -- acquire a TGT
> > with forwardable credentials, and then tell whatever you're using to
> > forward them:
> I'm not clear on what this means. Can you expand on this?
When you log in to a Kerberos system, it issues you a Ticket Granting
Ticket, which represents your identity. When you telnet to another
system, Kerberos will try to authenticate you to the remote system by
requesting a service ticket, on the strength of the TGT it already has
for you. In addition, if you configure it to do so, it can forward
the TGT to the remote host. Here's the difference:
With no TGT forwarding, you login at A, typing your Kerberos
password. Then you telnet to B, and you don't have to type your
password. Then you telnet from B to C, and you *do* have to type your
password, because B doesn't have your TGT; it only has a service
ticket for telnet or login.
With TGT forwarding, you login at A, using your Kerberos password.
Then you telnet to B, and it sends your TGT along to B. Then you
telnet from B to C, and you can again login without a password.
The clincher is this: Do you trust the administrator of B not to
steal your TGT, once you transfer it to that system?
Kerberos is really quite well thought out. I believe there's some
good documentation on the design decisions, available from MIT
Chris Jones Mad scientist at large