cross-realm authentication question
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Fri Apr 20 17:06:35 EDT 2007
Hi guys, I have a pretty basic question about how cross-realm
authentication works with ssh. Can kerberized logins work when your TGT
is not from the default realm (as specified by /etc/krb5.conf)
I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
realm (say REALM1 and REALM2), and configured them for cross-realm
authentication. I put my service principal for a test client
(host/cselin12.REALM1 at REALM1) in one KDC and an account (rohitm at REALM2)
in the other.
On my client (also running the same version of Ubuntu with libpam_krb5),
I configured ssh for gssapi, and installed the keytab with the principal
"host/cselin12.REALM1 at REALM". I was able to "kinit rohitm at REALM2" and
ssh to cselin12.REALM1 and login automatically when my default realm (in
/etc/krb5.conf) was set to be REALM2. However, if I set it to be
REALM1, it did not work and I get prompted for a password.
This is not that big a deal for us, but if we wanted to have different
users logging in to the same machine, some whose account principals only
existed in REALM1 and some whose account principals only existed in
REALM2, would there be a way to do that?
Many thanks for any help,
Rohit
More information about the Kerberos
mailing list