gssproxy

Clone
Source Code
GIT

#128 [RFE] Investigate the constrained delegation for host hopping
Closed: Deferred 4 years ago by simo. Opened 9 years ago by dpal.

Closed: Deferred
Reopen Issue

Use case:

User authenticated at his desktop and has a TGT. He then SSH to system A using GSSAPI. From system A he needs to how to system B and then C and so on. Currently such behavior requires full delegation. It can also be accomplished with constrained delegation.

If all systems are enrolled with IPA and IPA constrained delegation policy is configured to allow hosts ABC to delegate to each other the user should be able to hop around.

A bonus would be to be able to mount secure NFS with kerberos from each host the user hops into.

Scope of work

  1. Setup IPA
  2. Connect systems ABC and user system to it.
  3. Enable SSH with GSSAPI
  4. Configure constrained delegation on IPA. Might have to be done manually until the ticket https://fedorahosted.org/freeipa/ticket/3644 is fixed
  5. Configure GSS proxy to do s4u2proxy for SSH
  6. Configure SSH to use GSS proxy on client and server
  7. Hook up NFS clients to GSS proxy too
  8. File tickets/BZ for what does not work
  9. Address issues found in 8.
  10. Document the setup
  11. Create a demo.

This might be a candidate for a thesis work.

Metadata Update from @dpal:
- Issue assigned to simo
- Issue set to the milestone: X - DEFERRED
7 years ago

Project has moved please reopen here if still an issue:
https://github.com/gssapi/gssproxy/issues

Metadata Update from @simo:
- Issue close_status updated to: Deferred
- Issue priority set to: None (was: 3)
- Issue status updated to: Closed (was: Open)
4 years ago

Login to comment on this ticket.

Metadata
None
None
None
enhancement
gssproxy daemon
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.