cross-realm authentication question

Douglas E. Engert deengert at anl.gov
Fri Apr 20 17:46:12 EDT 2007



Rohit Kumar Mehta wrote:
> Hi guys, I have a pretty basic question about how cross-realm 
> authentication works with ssh.  Can kerberized logins work when your TGT 
> is not from the default realm (as specified by /etc/krb5.conf)
> 
> I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different 
> realm (say REALM1 and REALM2), and configured them for cross-realm 
> authentication. I put my service principal for a test client 
> (host/cselin12.REALM1 at REALM1) in one KDC and an account (rohitm at REALM2) 
> in the other.
> 
> On my client (also running the same version of Ubuntu with libpam_krb5), 
> I configured ssh for gssapi, and installed the keytab with the principal 
> "host/cselin12.REALM1 at REALM".  I was able to "kinit rohitm at REALM2" and 
> ssh to cselin12.REALM1 and login automatically when my default realm (in 
> /etc/krb5.conf) was set to be REALM2.  However, if I set it to be 
> REALM1, it did not work and I get prompted for a password.
> 
> This is not that big a deal for us, but if we wanted to have different 
> users logging in to the same machine, some whose account principals only 
> existed in REALM1 and some whose account principals only existed in 
> REALM2, would there be a way to do that?

Yes. Read up on the .k5login file and the krb5.conf  auth_to_local.



> Many thanks for any help,
> 
> Rohit
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list