Class KerberosCredential

Namespace

Tmds.Ssh

Assembly

Tmds.Ssh.dll

Credential for Kerberos authentication.

public sealed class KerberosCredential : Credential

Inheritance

object

Credential

KerberosCredential

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.ReferenceEquals(object, object)

object.ToString()

Constructors

KerberosCredential(NetworkCredential?, bool, string?)

Create a credential for Kerberos authentication.

public KerberosCredential(NetworkCredential? credential = null, bool delegateCredential = false, string? targetName = null)

Parameters

credential NetworkCredential

The credentials to use for the Kerberos authentication exchange. Set to null to use a cached ticket.

delegateCredential bool

Allows the SSH server to delegate the user on remote systems.

targetName string

Override the service principal name (SPN), default uses host/HostName.

Remarks

The credential specified is used for the Kerberos authentication process. This can either be the same or different from the username specified through SshClientSettings.UserName. The client settings username is the target login user the SSH service is meant to run as, whereas the credential is the Kerberos principal used for authentication. The rules for how a Kerberos principal maps to the target user is defined by the SSH service itself. For example on Windows the username should be the same but on Linux the mapping can be done through a .k5login file in the target user's home directory.

If the credential is null, the Kerberos authentication will be done using a cached ticket. For Windows, this is the current thread's identity (typically logon user) will be used. For Unix/Linux, this will use the Kerberos credential cache principal, which may be managed using the kinit command. If there is no available cache credential, the authentication will fail.

Credentials can only be delegated if the Kerberos ticket retrieved from the KDC is marked as forwardable. Windows hosts will always retrieve a forwardable ticket but non-Windows hosts may not. When using an explicit credential, make sure that 'forwardable = true' is set in the krb5.conf file so that .NET will request a forwardable ticket required for delegation. When using a cached ticket, make sure that when the ticket was retrieved it was retrieved with the forwardable flag. If the ticket is not forwardable, the authentication will still work but the ticket will not be delegated.