cross-realm authentication question

Markus Moeller huaraz at moeller.plus.com
Sun Apr 22 08:03:12 EDT 2007


Try to use in the realms section of the krb5.conf file on hosts with default
realm REALM1:

        REALM1 = {
                auth_to_local = RULE:[1:$1@$0](.*@REALM2$)s/@.*//
                auth_to_local = DEFAULT
        }


and on hosts with default REALM2:

        REALM2 = {
                auth_to_local = RULE:[1:$1@$0](.*@REALM1$)s/@.*//
                auth_to_local = DEFAULT
        }


This would avoid having .k5login files everywhere, BUT you have to
understand that now the administrator of REALM2 can control the access to
hosts in REALM1 and userids have to be unique in both realms.

Regards
Markus

"Rohit Kumar Mehta" <rohitm at engr.uconn.edu> wrote in message 
news:46292B5B.5060005 at engr.uconn.edu...
>
> Hi guys, I have a pretty basic question about how cross-realm
> authentication works with ssh.  Can kerberized logins work when your TGT
> is not from the default realm (as specified by /etc/krb5.conf)
>
> I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
> realm (say REALM1 and REALM2), and configured them for cross-realm
> authentication. I put my service principal for a test client
> (host/cselin12.REALM1 at REALM1) in one KDC and an account (rohitm at REALM2)
> in the other.
>
> On my client (also running the same version of Ubuntu with libpam_krb5),
> I configured ssh for gssapi, and installed the keytab with the principal
> "host/cselin12.REALM1 at REALM".  I was able to "kinit rohitm at REALM2" and
> ssh to cselin12.REALM1 and login automatically when my default realm (in
> /etc/krb5.conf) was set to be REALM2.  However, if I set it to be
> REALM1, it did not work and I get prompted for a password.
>
> This is not that big a deal for us, but if we wanted to have different
> users logging in to the same machine, some whose account principals only
> existed in REALM1 and some whose account principals only existed in
> REALM2, would there be a way to do that?
>
> Many thanks for any help,
>
> Rohit
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list