SSH with auth_to_local on common account

Edward Murrell edward at dlconsulting.com
Wed Jan 3 20:11:35 EST 2007 

In the interests of helping people with the same problem in the
future... I thought I'd post where I'm up to with this.

So, pam_krb5 isn't sufficient to do this job. It would appear that SSH
uses NSS to look up a list of users that do exist on the system.

Since my local user doesn't exist, SSH allows you to enter a password in
the name of not giving away information about what users do exist on the
system, then kicks you out. The solution is to have a list of users that
exist in some way available to NSS (like /etc/passwd or LDAP), even if
you can't actually log in to the system with them.

I guess I'll have to get LDAP updates working. I guess I'm going to have
to kick OpenLDAP around a bit again. *sigh* (I've not had great success
with OpenLDAP replicas).

Cheers,
Edward

Edward Murrell wrote:
> Hi all,
>
> I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
> work out.
>
> I have a machine called 'hobbes' with a common user account that I'm to
> get working with SSH and Kerberos.
>
> Normal SSH + Kerberos works perfectly.
>
> However, the specs call for anyone with a valid Kerberos account to be
> able to login via SSH to a common account (called dlc).
>
> Using the following, I have been able to get the following to work if
> the initating user has a valid Kerberos ticket;
>
> Changes:
> krb5.conf REALM:
>        auth_to_local = RULE:[1:dlc]
>         auth_to_local = RULE:[2:dlc]
>         auth_to_local = DEFAULT
>
> /etc/pam.d/common-account:
>     account sufficient      pam_krb5.so
>     account required        pam_unix.so
>
> Command:
>     ssh -l dlc hobbes
>
>
> The problem is that users will at times need to log in from a location
> that does not have Kerberos installed. At this point, the system will
> ask for the password for the dlc Kerberos user (that does not exist),
> and will fail with an error like the following:
>
> Jan  3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
> user edward from 1.1.1.1
> Jan  3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
> edward from 1.1.1.1 port 54214 ssh2
>
> >From looking at the logs, it looks like the pam krb5 doesn't get called
> at all.
>
> Any suggestions?
> I'm sure it's a very simple answer but I'm just too silly to work it out.
>
> Cheers
> Edward
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list