ssh using gssapi athentication without local account existing on the target machine
Douglas E. Engert
deengert at anl.gov
Tue Dec 13 12:11:04 EST 2005
jay alvarez wrote:
> Hi,
>
> I already got it working but ssh requires local accounts to exist in the machine for it to actually
> allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have
> any user account.
> Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside
> my home dir(possibly retrieved through some other means). Anyone done this before?
Assuming UNIX, you still need to start the processes under some UID, be it obtained locally, or from
NIS or LDAP, or even dynamically aassigned. The host also has to make some authorization decision
about accepting the GSSAPI connection. Current GSSPAI does authentication only, you still
need the authorization to the local machine. krb5_kuserok for example does this.
If you use dynamically aassigned UIDs, you then have to cleanup the local file system of
any left over files for the UID.
But sshd appears to wants the remote user to specify the local account to
use, without allowing some mappings from GSSAPI credentials to local account first.
One way would be via PAM. PAM states that the PAM routines can change the pam_user, and
the calling application should accept this, sshd does not.
So the first thing that would be needed is for sshd to continue on if the
user was not found, and let PAM at least have a shot at returning a new valid user.
This has come up on the OpenSSH mailing list from time to time.
>
> Thanks.
>
>
> ---------------------------------
> Yahoo! Shopping
> Find Great Deals on Holiday Gifts at Yahoo! Shopping
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list