Write Kerberos/AFS script #25
Comments
|
Is this ticket-copying script currently recommended for use? With the official 1.2.4 release on Ubuntu, I can't forward existing Kerberos tickets to the mosh target. However, I copied in the Perl script above as mosh-server and made the current binary mosh-server be mosh-server.real, and ticket forwarding works. Should this behavior work without this hack in newer versions, or is this a necessary workaround? I'm just trying to understand it since I don't see traces of this direction in github. |
|
SSH should be able to delegate GSS (Kerberos, in your case) credentials. Of course, SSH can also keep re-delegating credentials as they get |
|
@matted, the script is in regular use at MIT. It's not an official part of Mosh but you are welcome to use it. The problem is not with SSH or Kerberos specifically, but most installations of SSH and Kerberos today use PAM to kdestroy when the session ends. That's a problem for Mosh where the SSH session is only very brief (to launch the mosh-server, which lingers after the SSH connection closes). So this ticket-copying script is necessary in that case. |
|
Thanks for the clarification and explanation, good to know. I'm actually in CSAIL too... and I guess this is only useful to a small subset of users, but is this wrapper script sitting in any official or semi-official CSAIL or Athena AFS location? I can set it up myself on my machines, but I thought I'd see if a better solution existed. The mosh-server at /afs/csail/system/amd64_linux26/local/bin/ is the standard binary one, and older (1.1.3). |
|
Hello Matt, Yes, it's sitting in the mosh_project locker on Athena (see above URL). I think the CSAIL sysadmins would probably be happy to upgrade their mosh-server and/or install this wrapper script if we prodded them. Maybe the best path is for you to get it working on your machine, make sure it works, and then email TIG. Cheers, |
|
P.S. I'm happy to be part of the discussion if you want me to -- keithw@mit.edu |
Sites using Kerberos and AFS need special care to preserve the user's Kerberos tickets and AFS tokens. Typically these are destroyed when SSH logs out -- which is a problem for us, since SSH logs out immediately before we even start the Mosh session proper.
One approach is to write a mosh-kerberos-server script that manually copies the Kerberos ticket file (and AFS tokens?) to a new location before detaching from the terminal and letting SSH reap the old ones.
The text was updated successfully, but these errors were encountered: