Kerberos + SSH question
none at nospam.none
Fri Jun 23 11:46:08 EDT 2006
On Thu, 22 Jun 2006 21:22:53 +0200, Sebastian Hanigk <hanigk at in.tum.de> wrote:
>none at nospam.none (Nod) writes:
>>>To elaborate just a bit: Kerberos allows the server to believe that it is
>>>talking to a particular Kerberos principal, which is a point in a
>>>namespace entirely separate from the account space the host itself. The
>>>decision of what, if any, local resources to allow this principal access
>>>to is a separate matter. With SSH, you are asking for access to a
>>>resource (account) that doesn't exist. It doesn't matter who you're
>>>authenticated as; there's nothing to give you.
>> Well, this makes a lot more sense now. Would you happen to know where
>> I could find a good guide for integrating LDAP with ssh? I've been
>> over a bunch of them, and just keep getting more confused by LDAP the
>> more I read.
>you don't have to use LDAP for the accounts service; you can
>authenticate via Kerberos and then use the /etc/passwd
Indeed, but I'm trying to avoid deploying updated passwd files to 100+ servers.
More information about the Kerberos