[27165] in Kerberos
Re: SSH with auth_to_local on common account
daemon@ATHENA.MIT.EDU (Bjoern Tore Sund)
Thu Jan 4 15:48:48 2007
Message-ID: <459CBCFD.8010602@it.uib.no>
Date: Thu, 04 Jan 2007 09:38:21 +0100
From: Bjoern Tore Sund <bjorn.sund@it.uib.no>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <459C5447.6080104@dlconsulting.com>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
The solution is to have nscd running. At least that solved the issue
for me.
-BT
Edward Murrell wrote:
> In the interests of helping people with the same problem in the
> future... I thought I'd post where I'm up to with this.
>
> So, pam_krb5 isn't sufficient to do this job. It would appear that SSH
> uses NSS to look up a list of users that do exist on the system.
>
> Since my local user doesn't exist, SSH allows you to enter a password in
> the name of not giving away information about what users do exist on the
> system, then kicks you out. The solution is to have a list of users that
> exist in some way available to NSS (like /etc/passwd or LDAP), even if
> you can't actually log in to the system with them.
>
> I guess I'll have to get LDAP updates working. I guess I'm going to have
> to kick OpenLDAP around a bit again. *sigh* (I've not had great success
> with OpenLDAP replicas).
>
> Cheers,
> Edward
>
> Edward Murrell wrote:
>> Hi all,
>>
>> I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
>> work out.
>>
>> I have a machine called 'hobbes' with a common user account that I'm to
>> get working with SSH and Kerberos.
>>
>> Normal SSH + Kerberos works perfectly.
>>
>> However, the specs call for anyone with a valid Kerberos account to be
>> able to login via SSH to a common account (called dlc).
>>
>> Using the following, I have been able to get the following to work if
>> the initating user has a valid Kerberos ticket;
>>
>> Changes:
>> krb5.conf REALM:
>> auth_to_local = RULE:[1:dlc]
>> auth_to_local = RULE:[2:dlc]
>> auth_to_local = DEFAULT
>>
>> /etc/pam.d/common-account:
>> account sufficient pam_krb5.so
>> account required pam_unix.so
>>
>> Command:
>> ssh -l dlc hobbes
>>
>>
>> The problem is that users will at times need to log in from a location
>> that does not have Kerberos installed. At this point, the system will
>> ask for the password for the dlc Kerberos user (that does not exist),
>> and will fail with an error like the following:
>>
>> Jan 3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
>> user edward from 1.1.1.1
>> Jan 3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
>> edward from 1.1.1.1 port 54214 ssh2
>>
>> >From looking at the logs, it looks like the pam krb5 doesn't get called
>> at all.
>>
>> Any suggestions?
>> I'm sure it's a very simple answer but I'm just too silly to work it out.
>>
>> Cheers
>> Edward
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
