Kerberos-Gssapi-ldap-pam interaction

[Brent A Nelson]

Turbo Fredriksson writes:
----- s n i p -----

You don't have to, that's the beauty! All you do is create the file
'/root/.k5login' with the principals that should have FULL access,
or '/root/.k5users' with principal and command. And you authenticate
with your own ticket!

        man ksu

The files '/root/.k5{login,users}' would (closley, but with better
security) resemble and replace sudo.
----- s n i p -----

Hmm, this works fine for ksu (after discovering that RedHat doesn't make 
ksu setuid root and fixing that), but gives PAM errors with 
OpenSSH 3.6.1p2+GSSAPI:

May 15 11:00:36 bani sshd[28552]: Authorized to root, krb5 principal 
brent at PHYS.UFL.EDU (krb5_kuserok)
May 15 11:00:36 bani sshd[28552]: PAM rejected by account 
configuration[6]: Permission denied
May 15 11:00:36 bani sshd[28552]: fatal: monitor_read: unsupported 
request: 38

May 15 11:00:33 bani sshd(pam_unix)[28552]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=bani.phys.ufl.edu  
user=root
May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authenticate error: Client 
not found in Kerberos database (-1765328378)
May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authentication fails for 
`root'

So, it looks like SSH makes the appropriate calls to handle .k5login, but 
then passes off to PAM, which ends up looking for 'root' in the Kerberos 
database (which doesn't exist).

With .k5login in place even non-Kerberos logins via ssh now fail (somehow 
bypassing pam_unix?)!

Thanks,

Brent Nelson
Director of Computing
UF Physics

PS Does anyone know what's happened with Nicolas Williams's patch to get 
OpenSSH to take Kerberos principals in the authorized_keys file?