Refresh kerberos ticket instead of prompting for pam password

Using centralised auth against FreeIPA is working great. In order to use Kerberos SSO when using ssh, scp etc from jumphosts users must initiate their Kerberos tickets first with kinit. I've added this to bashrc for users so that they're prompted for their password as none of the clients aren't tied to the IPA realm.

However, the tickets time out after 24 hours. Thus if a user tries to ssh or scp with an expired ticket, SSO fails and they're prompted for their password. Users forget about kinit, and so I'm wondering if there's anything I can do to get the system to try to renew the Kerberos ticket before falling back to pam-based password auth. That way when a user's ticket expires they'll only get prompted for a password once every 24 hours. Negating the need for users to manually do an arbitrary kinit every 24 hours.

Please note that users may have a number of sessions open on the same jumphost either through multiple ssh sessions or session managers like screen and byobu. I know that the Kerberos tickets will be separate for each jumphost they connect to from their non-IPA machine(s).

Due to the above, I don't think it's a solution to crontab the validity of Kerberos tickets, as 1) a user may be idle and 2) a user with multiple sessions open may be prompted multiple times for the same ticket, leading to user confusion and frustration.

Use a kinit -R cronjob on the jumpboxes.

At the point when users run ssh while their ticket has already expired, nothing can be done – an expired ticket can't be renewed anymore; renewal needs to be done earlier than that.

Although in theory libkrb5 could proactively extend a valid TGT whenever the user runs ssh, in practice it wouldn't make much sense; there's nothing that would ensure the user will indeed run ssh at the right moment. So automated proactive renewal only makes sense on a schedule, i.e. cron or similar.

(Current versions of libkrb5 can automatically acquire new tickets off a client keytab, if the user has created one; but I suppose it wouldn't be desirable to store what's essentially their password on the jumpbox.)

Please note that users may have a number of sessions open on the same jumphost either through multiple ssh sessions or session managers like screen and byobu.

That would only be relevant if the jumphost automatically acquired Kerberos tickets for the user via PAM (e.g. if you used pam_krb5). But having to do a manual kinit strongly implies that the user has just the one "default" ticket cache on the jumphost, regardless of their session count – as, if they have no tickets, then it's almost guaranteed nothing has set $KRB5CCNAME for them either – so you most likely can use a cron job to handle renewal.

So if the TGT has been acquired with the Renewable flag, the user could just have a @hourly cron job (or systemd .timer, if your distribution supports that) which renews their TGT using kinit -R. The krenew daemon (which also needs to run at user level) can also perform the same task.

Though, even if users do have multiple ticket caches, having a cronjob that renews them all is really not much of a task: it's just a Bash for loop that runs kinit -R -c $cache for every cache it finds.

Note that ticket renewal is usually capped at 7 or 14 days (I am not sure what the FreeIPA defaults are, but I believe the underlying MIT Krb5 KDC has a hard limit of 14 days).

(Also, renewal will discard other non-TGT tickets from the cache, but that's not important – they aren't needed for already-active sessions and they'll be re-acquired when needed.)

Another option: Use the jumphosts as tunnel servers, not as interactive shell servers. That is, have the user do kinit on their system, then "directly" initiate SSH to the target using the jumphost as a raw TCP tunnel host (using ProxyJump). They will authenticate to both systems using their local tickets; their local system will handle renewal.

I know that the Kerberos tickets will be separate for each jumphost they connect to from their non-IPA machine(s).

That's not an issue, each copy of the TGT can be renewed independently.