[39109] in Kerberos
Re: Using an alternate principal for ssh
daemon@ATHENA.MIT.EDU (Carson Gaspar)
Tue May 31 15:38:30 2022
Message-ID: <e2ac1b0e-c77a-2771-bf9c-a5c3195a3f5e@taltos.org>
Date: Tue, 31 May 2022 12:35:02 -0700
MIME-Version: 1.0
Content-Language: en-US
To: kerberos@mit.edu
From: Carson Gaspar <carson@taltos.org>
In-Reply-To: <CALF+FNx1A+rwTEntG7bza1eLZcizk5WpfLQ0QsP8BZH-6zr1pA@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> That code should not actually used on a properly-configured PAM-based
> system. Typical configuration for such systems should enable UsePAM and
> KbdInteractiveAuthentication and disable PasswordAuthentication and
> ChallengeResponseAuthentication. This causes all password verification to
> go through PAM. Then all you need is a PAM module that can be configured to
> behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
> you need.
I agree about the sshd config options, but looking at the source code
for Russ's pam_krb5, I don't think it will work as-is without changing
the username provided by the client (see my previous post).
> For true Kerberos authentication (i.e. using Kerberos tickets, not a
> password), you can control which principals are allowed to log in as a user
> by means of the user's .k5login file.
Please, no - set up a localname mapping instead of trying to manage a
bajilion k5login files. I was so happy when MIT finally added the
k5login_directory option so I could move .k5login out of the home dir
and stop users from doing terrible things.
--
Carson
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
