MIT + Heimdal + openssh == cross realm difficulties
Priit Randla
priit.randla at eyp.ee
Fri Feb 25 08:20:33 EST 2005
Douglas E. Engert wrote:
>
>
> Priit Randla wrote:
>
>> Douglas E. Engert wrote:
>>
>>> do you have a .k5login file in the home directory on srv1.bbb
>>> which has
>>> priitr at AAA
>>>
>>>
>> Well, of cource I didn't. When I created it, I could log in using
>> both telnet and openssh. Thank You,
>> I haven't used .rlogin-alikes a long time now...
>> But certainly there is another way to do that; I mean, as I have lots
>> of workstations and
>> servers (~ 1000) to log on, there should be another way to maintain
>> cross-realm trust, shouldn't it?
>
>
> Yes and no. The .k5login is really authorization, it is the ACL for
> access to the user account on the host. By default it is assumed that
> users in the same realm as the server, have matching local account names
> and principal names, and thus no .k5login is needed.
>
> If you want some default other then this you have to consider
> the policies used with the two realms, i.e. a user in one is equivalent
> to a user in the other, etc.
>
>
>> To create .k5login files for every account on every host doesn't seem
>> like an elegant solution?
>> Hopefully I'm overlooking something trivial, could you please
>> enlighten me? I really don't know...
>
>
> With MIT see the auth_to_local rule in the krb5.conf:
>
> http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#krb5.conf
>
>
> Its something like this, better test it:
>
> [realms]
> ONE.EYP.EE = {
> ...
> auth_to_local = RULE:[1:$1@$0](^.*@TWO.EYP.EE$)s/@TWO.EYP.EE//
> auth_to_local = DEFAULT
> }
> TWO.EYP.EE = {
> ...
> }
>
> This would say that the host in realm ONE.EYP.EE would accept a
> principal from realm TWO.EYP.EE as long as the user part of the principal
> matched the local account.
>
> Not sure if Heimdal has any thing similiar.
>
>
Thank you very much, auth_to_local really got me going.
Heimdal doesn't seem to have auth_to_local, I had to use 'default_realm
= BBB AAA' there
for openssh to let users with TGT at AAA in.
Currently 'almost' all seems to work as expected - I'm so far unable to
get openssh with pam on Heimdal
to save obtained TGT with flags intact - TGT gets written but without
any flags. I think its got something
to do with SuSe as doing openssh the other way (from SuSe (heimdal)) to
RedHat(mit)) tgt gets saved with
all required flags intact.
Regards,
Priit
More information about the Kerberos
mailing list