[32728] in Kerberos
Re: ssh GSSAPI and auth_to_local
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 28 22:11:18 2010
From: Greg Hudson <ghudson@mit.edu>
To: Tom Parker <tparker@cbnco.com>
In-Reply-To: <4CA140CE.9060202@cbnco.com>
Date: Tue, 28 Sep 2010 22:11:09 -0400
Message-ID: <1285726269.20521.934.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-09-27 at 21:11 -0400, Tom Parker wrote:
> [realms]
> CENTRAL = {
> auth_to_local = RULE:[1:$1@CENTRAL]
> auth_to_local = RULE:[2:$1@CENTRAL]
> }
>
> This works great for ssh with passwords but it has totally broken the
> GSSAPI Single Sign On.
I'm not sure if krb5_kuserok or krb5_aname_to_lname would come into play
during password auth.
> From what I can see with strace and a little reading, the krb5_kuserok
> function that is used to validate a user is ignoring the auth_to_local
> directives and is stripping off everything but the first component of a
> principal.
That's not my reading of the code. However: auth_to_local rules are
always looked up in the host's default realm, not the realm of of the
principal. So I would think you would want:
[realms]
<default domain> = {
auth_to_local = RULE:[1:$1@$0]
auth_to_local = RULE:[2:$1@$0]
}
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
