cross-realm logins with ssh & pam_krb5

Douglas E. Engert deengert at anl.gov
Fri Jan 28 12:06:28 EST 2005 


Troy Benjegerdes wrote:

> I want to allow users from two different realms to be able to log into a
> machine via ssh using the pam_krb5 kerboard-interactive authentication
> method.
> 
> Is there a pam_krb5 module that supports this? Ideally, I'd like to
> default to REALM1, and users from realm1 would do 
> "ssh -l user at REALM2 login-machine", and if they had a valid account,
> they could get logged in. For the moment, let's just deal with the case where
> the principal name is the same as the login name.
> 
> How can I get this to work... I don't think pam/linux is quite happy
> with usernames of the form "user at REALM", which would be nice, but maybe
> messy.

Its really an SSH deficiency. They check the username for validity
before calling PAM, and will not allow PAM to change the username.

In auth2.c in input_userauth_request()

They get the user and strip off anything after a :
then call getpwnamallow(user)

So they don't give PAM a chance to parse the username, and
to change it something else.
They also make sure later the user name has not changed
and print out
  "Change of username or service not allowed:"

I would hope they could be convinced that this is the wrong
approaches to assume the "user" field is the local user,
and not let PAM do its job of parsing this field and
providing the local user to be used back to sshd.

There is another side issue here too, Its not only Kerberos
that could have this problem. The user has no way to specify
what method of authentication the user intends when they enter
user and password. It could be for the local machine, a default
Kerberos realm, a OTP, LDAP or RADIS. The traditional approach
it to try them all. But this has at least two side effects
(1) all of methods get to see and possibly expose the password
(2) A failure may be recorded by one of these methods if the
     password was not for it.

But with Keyboard interactive, it might be possible to
either use multiple prompts to prompt for the realm,
or to get the realm as part of the password response.
Ugly for the user, but workable. Something like if the
user typed @REALM:password or user at REALM:password
  it would assume it was for Kerberos at the realm.
and let the user specify both the local user and prrincipal
name.



> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list