Paramiko doesn't support Kerberos

[bitprophet]

Description

Two people so far have asked in IRC about Kerberos support, which apparently is baked into the average SSH client by way of the GSSAPI protocol. User has Kerberos ticket locally somehow, which SSH then knows to forward to the remote end for authentication, in lieu of password or pubkey auth.

Unforunately Paramiko doesn't seem to have Kerberos support at this time (going by this ServerFault question, this Paramiko Launchpad ticket and my trolling of the API docs). Which means Fabric doesn't either, save for the usual OOB trickery (if that even works with Kerberos; e.g. local('ssh --something-kerberos %s' % env.host_string) at the top of one's Fab tasks).

Users who need Kerberos should probably add their voice to the abovelinked Launchpad ticket.

I'm closing this as I create it, since there is no real action that can be taken on our end save for more hacking of Paramiko -- I just want it documented somewhere. Perhaps if my attempts on #72 go well I will become emboldened and try my hand at this too.

---

Originally submitted by Jeff Forcier (bitprophet) on 2010-07-15 at 09:58am EDT

Relations

• Related to SSH key forwarding #72: SSH key forwarding

---

Closed as Wontfix on 2010-07-15 at 10:01am EDT

[kyrias]

Kerberos support seem to have been merged into Paramiko now, so unless I’m missing something this should be easier to implement now.

[bitprophet]

Correct, so depending on how much code is required to add it to Fab (hopefully only a few parameter pass-throughs here and there, from what I remember) somebody could PR this now or we can certainly add it in 2.x