Kerberos-Gssapi-ldap-pam interaction
Brent A Nelson
brent at phys.ufl.edu
Thu May 15 12:48:55 EDT 2003
Turbo Fredriksson writes:
----- s n i p -----
You don't have to, that's the beauty! All you do is create the file
'/root/.k5login' with the principals that should have FULL access,
or '/root/.k5users' with principal and command. And you authenticate
with your own ticket!
man ksu
The files '/root/.k5{login,users}' would (closley, but with better
security) resemble and replace sudo.
----- s n i p -----
Hmm, this works fine for ksu (after discovering that RedHat doesn't make
ksu setuid root and fixing that), but gives PAM errors with
OpenSSH 3.6.1p2+GSSAPI:
May 15 11:00:36 bani sshd[28552]: Authorized to root, krb5 principal
brent at PHYS.UFL.EDU (krb5_kuserok)
May 15 11:00:36 bani sshd[28552]: PAM rejected by account
configuration[6]: Permission denied
May 15 11:00:36 bani sshd[28552]: fatal: monitor_read: unsupported
request: 38
May 15 11:00:33 bani sshd(pam_unix)[28552]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=bani.phys.ufl.edu
user=root
May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authenticate error: Client
not found in Kerberos database (-1765328378)
May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authentication fails for
`root'
So, it looks like SSH makes the appropriate calls to handle .k5login, but
then passes off to PAM, which ends up looking for 'root' in the Kerberos
database (which doesn't exist).
With .k5login in place even non-Kerberos logins via ssh now fail (somehow
bypassing pam_unix?)!
Thanks,
Brent Nelson
Director of Computing
UF Physics
PS Does anyone know what's happened with Nicolas Williams's patch to get
OpenSSH to take Kerberos principals in the authorized_keys file?
More information about the Kerberos
mailing list