[39110] in Kerberos
Re: Using an alternate principal for ssh
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Tue May 31 15:47:28 2022
MIME-Version: 1.0
In-Reply-To: <e2ac1b0e-c77a-2771-bf9c-a5c3195a3f5e@taltos.org>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Date: Tue, 31 May 2022 15:43:41 -0400
Message-ID: <CALF+FNxUWnJeBQSCObytkC2brk8cD1op48hm8QHHC8-djN4Z=Q@mail.gmail.com>
To: Carson Gaspar <carson@taltos.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, May 31, 2022 at 3:36 PM Carson Gaspar <carson@taltos.org> wrote:
> On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> > That code should not actually used on a properly-configured PAM-based
> > system. Typical configuration for such systems should enable UsePAM and
> > KbdInteractiveAuthentication and disable PasswordAuthentication and
> > ChallengeResponseAuthentication. This causes all password verification to
> > go through PAM. Then all you need is a PAM module that can be configured
> to
> > behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
> > you need.
>
> I agree about the sshd config options, but looking at the source code
> for Russ's pam_krb5, I don't think it will work as-is without changing
> the username provided by the client (see my previous post).
>
It will. You want something like
alt_auth_map=%s/ssh@REALM
only_alt_auth=true
> > For true Kerberos authentication (i.e. using Kerberos tickets, not a
> > password), you can control which principals are allowed to log in as a
> user
> > by means of the user's .k5login file.
>
> Please, no - set up a localname mapping instead of trying to manage a
> bajilion k5login files.
Yeah, a mapping is probably better for this application.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
