[39106] in Kerberos
Re: Using an alternate principal for ssh
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 31 15:11:55 2022
Message-ID: <410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
Date: Tue, 31 May 2022 15:08:13 -0400
MIME-Version: 1.0
Content-Language: en-US
To: Dan Mahoney <danm@prime.gushi.org>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <622B5998-57E0-450C-88C4-96FA04220AB8@prime.gushi.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 5/31/22 12:05, Dan Mahoney wrote:
> On most of our boxes, ssh is the ONLY kerberized app, but there's no provision in krb5.conf to say what the default principal based on a username is. None of the PAM modules seem to be able to set it, either. I conjured up an elaborate way to do this by forcing the .k5logindir to be something the users couldn't touch, and forcing a create for each user, but this doesn't help the password case.
>
> Does anyone know of a simple way to accomplish this? There are some clients, like mobile ones, where, VPN or no, kinit'ing is not an option.
The OpenSSH sshd code decides the principal name, not libkrb5. Looking
at the OpenSSH auth-krb5.c, I don't think there's any configurability;
it picks a principal name of
authctxt->pw->pw_name (except on AIX), parses that, and calls
krb5_get_init_creds_password().
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
