ssh using gssapi athentication without local account existing on the target machine

[Douglas E. Engert]

jay alvarez wrote:

> Hi,
>  
>  I already got it working but ssh requires  local accounts to exist in the machine for it to actually 
 >  allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have
 >  any user account.

>  Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside 
 >  my home dir(possibly retrieved through some other means). Anyone done this before?

Assuming UNIX, you still need to start the processes under some UID, be it obtained locally, or from
NIS or LDAP, or even dynamically aassigned. The host also has to make some authorization decision
about accepting the GSSAPI connection. Current GSSPAI does authentication only, you still
need the authorization to the local machine. krb5_kuserok for example does this.

If you use dynamically aassigned UIDs, you then have to cleanup the local file system of
any left over files for the UID.

But sshd appears to wants the remote user to specify the local account to
use, without allowing some mappings from GSSAPI credentials to local account first.
One way would be via PAM. PAM states that the PAM routines can change the pam_user, and
the calling application should accept this, sshd does not.

So the first thing that would be needed is for sshd to continue on if the
user was not found, and let PAM at least have a shot at returning a new valid user.
This has come up on the OpenSSH  mailing list from time to time.

>  
>  Thanks.
>  
> 			
> ---------------------------------
> Yahoo! Shopping
>  Find Great Deals on Holiday Gifts at Yahoo! Shopping 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444