I've recently encountered with this "limitation" when trying to bootstrap systems to use SSSD+GSSAPI (Kerberos) when they are first provisioned using ssh-key (e.g. Openstack). Once you go pubkey, GSSAPI cred forwarding isn't available in this context.. and that's a bit frustrating, but that's the way things are.
On Sat, Jul 16, 2016 at 2:26 AM, Brandon Allbery <ballb...@sinenomine.net> wrote: > Last time I looked at the openssh source code, turning them on could > interfere with the GSSAPI code: notably, it could cause the “old style” > ticket forwarding hack to be attempted instead of GSSAPI credential > delegation, which will fail with GSSAPI credentials. > > On 7/15/16, 01:39, "kerberos-boun...@mit.edu on behalf of Benjamin Kaduk" > <kerberos-boun...@mit.edu on behalf of ka...@mit.edu> wrote: > > >KerberosAuthentication yes > >KerberosOrLocalPasswd yes > >KerberosTicketCleanup yes > >#KerberosGetAFSToken no > >#KerberosUseKuserok yes > > As Brandon said, these are old/deprecated and it is unusual for them > to be > the desired configuration. But I don't know enough about what you > want in > order to be able to say that for sure. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- -------- Diogenes S. de Jesus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
