0

I would like to host a web service (Jupyterhub) which executes the following steps for a user:

  1. Acquire Kerberos ticket from user
  2. Use Kerberos ticket to spawn batch job on remote server

Therefore, I would need some python snippet to handle the authentication part (python-gssapi) and pass the ticket to Paramiko. However, I do not understand how to get a Kerberos ticket with username/password and then pass it explicitly to SSHClient.connect

Any help is highly appreciated :)

Hoeze
  • 636
  • 5
  • 20
  • 1
    Google about "Kerberos double hop" to understand why it is problematic. Only Microsoft does that - with strong limitations, but still it's not a good idea – Samson Scharfrichter Apr 24 '23 at 20:45
  • 1
    Typically, when users authenticate to a web service with Kerberos it's because it's part of a SSO strategy (i.e. implicit/automatic use of a pre-existing ticket on client side). But then the web service uses its own creds with elevated privileges to *impersonate* the user against back-end services. In your case... that won't work against an SSH daemon AFAIK. – Samson Scharfrichter Apr 24 '23 at 20:52
  • Why not use a privileged Linux account that spawns jobs for whichever Linux account the web service tells it to use? – Samson Scharfrichter Apr 24 '23 at 20:55
  • We would like to run Jupyterhub in a VM without any access to our shared file systems. The user needs a Kerberos ticket anyways since we have NFSv4 with Kerberos secured. This means that the spawning script needs to 1) get the user some Kerberos ticket and 2) initiate the session spawning on our cluster. – Hoeze Apr 30 '23 at 12:09
  • 1
    Until now this all was very easy since the user anyways logs in with username + password. But we would like to transition to a single sign-on system with hardware token based 2fa and I try to find out now what is the most flexible solution for that. Since oauth2 is the web standard for SSO, it would be nice to authenticate with that and then transitioning to Kerberos tickets within our cluster. – Hoeze Apr 30 '23 at 12:12

0 Answers0