SSH with auth_to_local on common account

Bjoern Tore Sund bjorn.sund at it.uib.no
Thu Jan 4 03:38:21 EST 2007 

The solution is to have nscd running.  At least that solved the issue 
for me.

-BT

Edward Murrell wrote:
> In the interests of helping people with the same problem in the
> future... I thought I'd post where I'm up to with this.
> 
> So, pam_krb5 isn't sufficient to do this job. It would appear that SSH
> uses NSS to look up a list of users that do exist on the system.
> 
> Since my local user doesn't exist, SSH allows you to enter a password in
> the name of not giving away information about what users do exist on the
> system, then kicks you out. The solution is to have a list of users that
> exist in some way available to NSS (like /etc/passwd or LDAP), even if
> you can't actually log in to the system with them.
> 
> I guess I'll have to get LDAP updates working. I guess I'm going to have
> to kick OpenLDAP around a bit again. *sigh* (I've not had great success
> with OpenLDAP replicas).
> 
> Cheers,
> Edward
> 
> Edward Murrell wrote:
>> Hi all,
>>
>> I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
>> work out.
>>
>> I have a machine called 'hobbes' with a common user account that I'm to
>> get working with SSH and Kerberos.
>>
>> Normal SSH + Kerberos works perfectly.
>>
>> However, the specs call for anyone with a valid Kerberos account to be
>> able to login via SSH to a common account (called dlc).
>>
>> Using the following, I have been able to get the following to work if
>> the initating user has a valid Kerberos ticket;
>>
>> Changes:
>> krb5.conf REALM:
>>        auth_to_local = RULE:[1:dlc]
>>         auth_to_local = RULE:[2:dlc]
>>         auth_to_local = DEFAULT
>>
>> /etc/pam.d/common-account:
>>     account sufficient      pam_krb5.so
>>     account required        pam_unix.so
>>
>> Command:
>>     ssh -l dlc hobbes
>>
>>
>> The problem is that users will at times need to log in from a location
>> that does not have Kerberos installed. At this point, the system will
>> ask for the password for the dlc Kerberos user (that does not exist),
>> and will fail with an error like the following:
>>
>> Jan  3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
>> user edward from 1.1.1.1
>> Jan  3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
>> edward from 1.1.1.1 port 54214 ssh2
>>
>> >From looking at the logs, it looks like the pam krb5 doesn't get called
>> at all.
>>
>> Any suggestions?
>> I'm sure it's a very simple answer but I'm just too silly to work it out.
>>
>> Cheers
>> Edward
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>   
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the Kerberos mailing list