Git for Windows,Domain Kerberos + ssh到Linux服务器? [英] Git for Windows, Domain Kerberos + ssh to Linux Server?
问题描述
我一直在对着桌子猛撞我的头,试图为开发人员提供一个开箱即用的windows工作站git。这已经100%适用于Linux,你kinit,然后你ssh没有被提示。
Active Directory域用作Kerberos服务器,KDC等。我的Linux客户端可以从它获得它们的kerberos票据,并将它们传递到我的linux服务器,而无需任何问题。事实上,我已经被kerberos AD烫伤了,我很不幸地知道它非常好。
通常在Linux客户端上,我必须有一个适当的krb5.conf,git for windows是否支持这种类型的配置?我只是把一个放在etc目录下?
感谢任何帮助,在git for windows上复制此客户端体验......或获得明确表明实际上不可能的硬性确认。
经过一番深入研究后,我明白了为什么这种方式永远不会奏效。 b
基本上从本地操作系统获得Kerberos支持,您必须使用与本机操作系统相同的链接库。这意味着,当您登录Windows时,您的故障单可用于链接到Windows SSPI的任何程序。
GitBash不是完整的操作系统端口,因为它没有与Windows SSPI本地集成。现在,如果你有一个使用与GitBash相同的库编译的 kinit ,至少你可以手动执行第二个 kinit 。这正是我在Cygwin上所做的。我发现GitBash DID已经编译了GSSAPI支持,但是没有附带的kinit,没有办法通过一张票。
我需要自己创建一个版本的GitBash,包括编译的 kinit ,或返回Cygwin。考虑到这是一个企业环境,它们都不是一个可以远程支持的选项。
我认为可能的是,将Git设置为使用putty的 plink ,最近的版本将SSPI链接到为其Kerberos。
I've been bashing my head against the desk, attempting to provide an out of box, windows workstation git for developers. This already 100% works on Linux, you kinit, and then you ssh without being prompted.
The Active Directory Domain Serves as the Kerberos Server, KDC etc.. My Linux Clients can get their kerberos tickets from it, and pass them to my linux servers, without any problem. In fact I've been so burned with kerberos AD, I know it incredibly well unfortunately.
Normally on Linux clients, I have to have a proper krb5.conf, does git for windows support this type of config? DO I just throw one in the "etc" directory?
Thanks, I appreciate any help, replicating this client experience on "git for windows".... or getting hard confirmations that clearly indicate this is not actually possible.
After some intense research, I was able to understand why this was never going to work.
Basically to have Kerberos support from the native OS, you have to use the same linked library as the native OS. This means that when you login Windows, your ticket is available to any program which link to the Windows SSPI.
GitBash isn't a full OS port, as it has no native integration with the Windows SSPI. Now if you had a kinit compiled with the same library as in GitBash, at LEAST you could manually do a second kinit. This is exactly what I used to do on Cygwin. I found GitBash DID have GSSAPI support compiled in, but without the accompanying kinit, there is no way to pass a ticket.
I'd either need to make my own version of GitBash, including a compiled kinit, or go back to Cygwin. Neither was a remotely supportable option, considering this is an enterprise environment.
What I DO believe is possible, is setting Git to use the putty's plink, the recent versions have SSPI linked for its Kerberos.
这篇关于Git for Windows,Domain Kerberos + ssh到Linux服务器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
