SSH with auth_to_local on common account

Edward Murrell edward at dlconsulting.com
Wed Jan 3 16:45:25 EST 2007


Hi all,

I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
work out.

I have a machine called 'hobbes' with a common user account that I'm to
get working with SSH and Kerberos.

Normal SSH + Kerberos works perfectly.

However, the specs call for anyone with a valid Kerberos account to be
able to login via SSH to a common account (called dlc).

Using the following, I have been able to get the following to work if
the initating user has a valid Kerberos ticket;

Changes:
krb5.conf REALM:
       auth_to_local = RULE:[1:dlc]
        auth_to_local = RULE:[2:dlc]
        auth_to_local = DEFAULT

/etc/pam.d/common-account:
    account sufficient      pam_krb5.so
    account required        pam_unix.so

Command:
    ssh -l dlc hobbes


The problem is that users will at times need to log in from a location
that does not have Kerberos installed. At this point, the system will
ask for the password for the dlc Kerberos user (that does not exist),
and will fail with an error like the following:

Jan  3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
user edward from 1.1.1.1
Jan  3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
edward from 1.1.1.1 port 54214 ssh2

>From looking at the logs, it looks like the pam krb5 doesn't get called
at all.

Any suggestions?
I'm sure it's a very simple answer but I'm just too silly to work it out.

Cheers
Edward



More information about the Kerberos mailing list