SSH and Kerberos

Machines that are configured to use Kerberos for authentication are also configured to use kerberos authentication (GSS API) and delegation for outgoing SSH connections to other MCECS machines by default. This means that if you are physically logged into a workstation machine and you SSH to another computer you won’t have to enter your password again and your kerberos ticket will “follow” you to the computer you SSH’d into.

SSH To Machines That use Kerberos Authentication Using SSH Keys Won’t Work

Key-based authentication to machines that use Kerberos for authentication and for protecting NFS traffic either won’t work at all,or will work in unreliable and unpredictable ways. This is because your SSH public key resides in your home directory which is not available until you have a valid Kerberos ticket. It’s best to assume that it won’t work at all and use GSS API authentication to get authenticate to workstations and other Kerberos protected computers.

SSH From Machines That Don’t Use Kerberos Authentication

If a Linux computer doesn’t use Kerberos for authentication, and you are manually initializing a Kerberos ticket, and you want to ssh using GSSAPI (Kerberos) to get to workstation machines you might want to add something like the following to your ~/.ssh/config file:

Host *.pdx.edu
HostbasedAuthentication no

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password

This will specify that you want to try using GSSAPI authentication and delegation when SSHing to any other PSU computers.