[39112] in Kerberos
Re: Using an alternate principal for ssh
daemon@ATHENA.MIT.EDU (Carson Gaspar)
Tue May 31 16:06:39 2022
Message-ID: <20db6458-c4fa-d8cb-9575-191ac357a31b@taltos.org>
Date: Tue, 31 May 2022 13:02:57 -0700
MIME-Version: 1.0
Content-Language: en-US
To: kerberos@mit.edu
From: Carson Gaspar <carson@taltos.org>
In-Reply-To: <CALF+FNxUWnJeBQSCObytkC2brk8cD1op48hm8QHHC8-djN4Z=Q@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 5/31/2022 12:43 PM, Jeffrey Hutzelman wrote:
>
> On Tue, May 31, 2022 at 3:36 PM Carson Gaspar <carson@taltos.org> wrote:
>
> I agree about the sshd config options, but looking at the source code
> for Russ's pam_krb5, I don't think it will work as-is without
> changing
> the username provided by the client (see my previous post).
>
>
> It will. You want something like
> alt_auth_map=%s/ssh@REALM
> only_alt_auth=true
Ah - I missed that as it takes a different code path that bypasses the
normal user name mapping. Thanks for the correction!
--
Carson
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
