cross-realm authentication question
Douglas E. Engert
deengert at anl.gov
Fri Apr 20 17:46:12 EDT 2007
Rohit Kumar Mehta wrote:
> Hi guys, I have a pretty basic question about how cross-realm
> authentication works with ssh. Can kerberized logins work when your TGT
> is not from the default realm (as specified by /etc/krb5.conf)
>
> I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
> realm (say REALM1 and REALM2), and configured them for cross-realm
> authentication. I put my service principal for a test client
> (host/cselin12.REALM1 at REALM1) in one KDC and an account (rohitm at REALM2)
> in the other.
>
> On my client (also running the same version of Ubuntu with libpam_krb5),
> I configured ssh for gssapi, and installed the keytab with the principal
> "host/cselin12.REALM1 at REALM". I was able to "kinit rohitm at REALM2" and
> ssh to cselin12.REALM1 and login automatically when my default realm (in
> /etc/krb5.conf) was set to be REALM2. However, if I set it to be
> REALM1, it did not work and I get prompted for a password.
>
> This is not that big a deal for us, but if we wanted to have different
> users logging in to the same machine, some whose account principals only
> existed in REALM1 and some whose account principals only existed in
> REALM2, would there be a way to do that?
Yes. Read up on the .k5login file and the krb5.conf auth_to_local.
> Many thanks for any help,
>
> Rohit
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list