Kerberos + SSH question
Richard E. Silverman
res at qoxp.net
Tue Jun 20 22:27:38 EDT 2006
>>>>> "RA" == Russ Allbery <rra at stanford.edu> writes:
RA> Nod <none at nospam.none> writes:
>> As for the user, no, it doesn't exist on the box. This might be
>> where I'm running into a problem. Right now, this box only has its'
>> root user and various system accounts on it. Here's what I'm trying
>> to do:
>> - Set up kerberos users for my various support techs. This is done,
>> and I can kinit from the servers as those users.
>> - Allow the kerberos users login access to the servers, and
>> eventually, sudo access. Right now, I've not added any local users
>> to the servers themselves, as I was under the impression that
>> having them in Kerberos would make them a 'virtual' user of sorts.
>> Am I missing something here, or do I have a fundemental
>> misunderstanding on something? Your input is greatly appreciated.
RA> Fundamental misunderstanding of sorts. All Kerberos does for you
RA> is handle the authentication. In order to allow a user to log on
RA> to the system, they still have to have a local account with a
RA> shell, home directory, etc.
To elaborate just a bit: Kerberos allows the server to believe that it is
talking to a particular Kerberos principal, which is a point in a
namespace entirely separate from the account space the host itself. The
decision of what, if any, local resources to allow this principal access
to is a separate matter. With SSH, you are asking for access to a
resource (account) that doesn't exist. It doesn't matter who you're
authenticated as; there's nothing to give you.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list