Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.

Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.

Sure you can, if you have a krb5 ticket that's valid, just enabled the ssh server to accept forwarded tickets using the gssapi options in the config files and you should see it being passed along pretty easily.

Whilst kerberos is nice and tricky and all, remember that it propagates the weakest link in the security chain, one unguarded machine can expose a HUGE amount of other machines.

There are also certificate angles, but only, afaik, via patching the source, I don't think anything is part of the mainline openssh code tree. Go google that one, certainly out there.

2 members found this post helpful.

Any links would be appreciated, I am having trouble finding how to set up GSSAPI to take advantage of this. The man page is not much help. Need a woman page, that would tell me exactly what I am doing wrong

Hi,

Add like this just bellow the HOST entry in /etc/ssh/ssh_config

"GSSAPIDelegateCredentials yes "

It will work..