cross-realm logins with ssh & pam_krb5
Troy Benjegerdes
hozer at hozed.org
Fri Jan 28 12:58:50 EST 2005
On Fri, Jan 28, 2005 at 11:06:28AM -0600, Douglas E. Engert wrote:
>
>
> Troy Benjegerdes wrote:
>
> >I want to allow users from two different realms to be able to log into a
> >machine via ssh using the pam_krb5 kerboard-interactive authentication
> >method.
> >
> >Is there a pam_krb5 module that supports this? Ideally, I'd like to
> >default to REALM1, and users from realm1 would do
> >"ssh -l user at REALM2 login-machine", and if they had a valid account,
> >they could get logged in. For the moment, let's just deal with the case
> >where
> >the principal name is the same as the login name.
> >
> >How can I get this to work... I don't think pam/linux is quite happy
> >with usernames of the form "user at REALM", which would be nice, but maybe
> >messy.
>
> Its really an SSH deficiency. They check the username for validity
> before calling PAM, and will not allow PAM to change the username.
>
> In auth2.c in input_userauth_request()
>
> They get the user and strip off anything after a :
> then call getpwnamallow(user)
>
> So they don't give PAM a chance to parse the username, and
> to change it something else.
> They also make sure later the user name has not changed
> and print out
> "Change of username or service not allowed:"
So, does the current openssh-3.8 work right with pam and/or afs with
privledge separation turned on? My other wishlist item for ssh is
support for changing expired kerberos passwords.. has anyone gotten this
working?
Are there any other SSH implementations that have GSSAPI support?
More information about the Kerberos
mailing list