[27163] in Kerberos
Re: SSH with auth_to_local on common account
daemon@ATHENA.MIT.EDU (Edward Murrell)
Wed Jan 3 20:15:23 2007
Message-ID: <459C5447.6080104@dlconsulting.com>
Date: Thu, 04 Jan 2007 14:11:35 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <459C23F5.3050607@dlconsulting.com>
X-SA-Exim-Mail-From: edward@dlconsulting.com
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In the interests of helping people with the same problem in the
future... I thought I'd post where I'm up to with this.
So, pam_krb5 isn't sufficient to do this job. It would appear that SSH
uses NSS to look up a list of users that do exist on the system.
Since my local user doesn't exist, SSH allows you to enter a password in
the name of not giving away information about what users do exist on the
system, then kicks you out. The solution is to have a list of users that
exist in some way available to NSS (like /etc/passwd or LDAP), even if
you can't actually log in to the system with them.
I guess I'll have to get LDAP updates working. I guess I'm going to have
to kick OpenLDAP around a bit again. *sigh* (I've not had great success
with OpenLDAP replicas).
Cheers,
Edward
Edward Murrell wrote:
> Hi all,
>
> I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
> work out.
>
> I have a machine called 'hobbes' with a common user account that I'm to
> get working with SSH and Kerberos.
>
> Normal SSH + Kerberos works perfectly.
>
> However, the specs call for anyone with a valid Kerberos account to be
> able to login via SSH to a common account (called dlc).
>
> Using the following, I have been able to get the following to work if
> the initating user has a valid Kerberos ticket;
>
> Changes:
> krb5.conf REALM:
> auth_to_local = RULE:[1:dlc]
> auth_to_local = RULE:[2:dlc]
> auth_to_local = DEFAULT
>
> /etc/pam.d/common-account:
> account sufficient pam_krb5.so
> account required pam_unix.so
>
> Command:
> ssh -l dlc hobbes
>
>
> The problem is that users will at times need to log in from a location
> that does not have Kerberos installed. At this point, the system will
> ask for the password for the dlc Kerberos user (that does not exist),
> and will fail with an error like the following:
>
> Jan 3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
> user edward from 1.1.1.1
> Jan 3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
> edward from 1.1.1.1 port 54214 ssh2
>
> >From looking at the logs, it looks like the pam krb5 doesn't get called
> at all.
>
> Any suggestions?
> I'm sure it's a very simple answer but I'm just too silly to work it out.
>
> Cheers
> Edward
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
