cross-realm authentication question

Rohit Kumar Mehta rohitm at engr.uconn.edu
Fri Apr 20 17:06:35 EDT 2007


Hi guys, I have a pretty basic question about how cross-realm 
authentication works with ssh.  Can kerberized logins work when your TGT 
is not from the default realm (as specified by /etc/krb5.conf)

I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different 
realm (say REALM1 and REALM2), and configured them for cross-realm 
authentication. I put my service principal for a test client 
(host/cselin12.REALM1 at REALM1) in one KDC and an account (rohitm at REALM2) 
in the other.

On my client (also running the same version of Ubuntu with libpam_krb5), 
I configured ssh for gssapi, and installed the keytab with the principal 
"host/cselin12.REALM1 at REALM".  I was able to "kinit rohitm at REALM2" and 
ssh to cselin12.REALM1 and login automatically when my default realm (in 
/etc/krb5.conf) was set to be REALM2.  However, if I set it to be 
REALM1, it did not work and I get prompted for a password.

This is not that big a deal for us, but if we wanted to have different 
users logging in to the same machine, some whose account principals only 
existed in REALM1 and some whose account principals only existed in 
REALM2, would there be a way to do that?

Many thanks for any help,

Rohit





More information about the Kerberos mailing list