Kerberos + SSH question

Richard E. Silverman res at
Tue Jun 20 22:27:38 EDT 2006

>>>>> "RA" == Russ Allbery <rra at> writes:

    RA> Nod <none at nospam.none> writes:
    >> As for the user, no, it doesn't exist on the box. This might be
    >> where I'm running into a problem. Right now, this box only has its'
    >> root user and various system accounts on it. Here's what I'm trying
    >> to do:

    >> - Set up kerberos users for my various support techs. This is done,
    >> and I can kinit from the servers as those users.

    >> - Allow the kerberos users login access to the servers, and
    >> eventually, sudo access. Right now, I've not added any local users
    >> to the servers themselves, as I was under the impression that
    >> having them in Kerberos would make them a 'virtual' user of sorts.

    >> Am I missing something here, or do I have a fundemental
    >> misunderstanding on something? Your input is greatly appreciated.

    RA> Fundamental misunderstanding of sorts.  All Kerberos does for you
    RA> is handle the authentication.  In order to allow a user to log on
    RA> to the system, they still have to have a local account with a
    RA> shell, home directory, etc.  

To elaborate just a bit: Kerberos allows the server to believe that it is
talking to a particular Kerberos principal, which is a point in a
namespace entirely separate from the account space the host itself.  The
decision of what, if any, local resources to allow this principal access
to is a separate matter.  With SSH, you are asking for access to a
resource (account) that doesn't exist.  It doesn't matter who you're
authenticated as; there's nothing to give you.

  Richard Silverman
  res at

More information about the Kerberos mailing list