SSH with auth_to_local on common account

Edward Murrell edward at dlconsulting.com
Thu Jan 4 17:48:59 EST 2007


*dips his toe into the chilly waters of the off topic stream

That's true. However, the LDAP server is on a different continent, so
nscd isn't going to help that much.

Well, it will, but it's not the entire solution.

I have idly wondered sometimes if MS wasn't onto something with stuffing
authentication data (ie LDAP) inside Kerberos. In cases like this, it
would be quite handy.

- Edward

Bjoern Tore Sund wrote:
> The solution is to have nscd running.  At least that solved the issue 
> for me.
>
> -BT
>
> Edward Murrell wrote:
>   
>> In the interests of helping people with the same problem in the
>> future... I thought I'd post where I'm up to with this.
>>
>> So, pam_krb5 isn't sufficient to do this job. It would appear that SSH
>> uses NSS to look up a list of users that do exist on the system.
>>
>> Since my local user doesn't exist, SSH allows you to enter a password in
>> the name of not giving away information about what users do exist on the
>> system, then kicks you out. The solution is to have a list of users that
>> exist in some way available to NSS (like /etc/passwd or LDAP), even if
>> you can't actually log in to the system with them.
>>
>> I guess I'll have to get LDAP updates working. I guess I'm going to have
>> to kick OpenLDAP around a bit again. *sigh* (I've not had great success
>> with OpenLDAP replicas).
>>
>> Cheers,
>> Edward
>>
>> Edward Murrell wrote:
>>     
>>> Hi all,
>>>
>>> I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
>>> work out.
>>>
>>> I have a machine called 'hobbes' with a common user account that I'm to
>>> get working with SSH and Kerberos.
>>>
>>> Normal SSH + Kerberos works perfectly.
>>>
>>> However, the specs call for anyone with a valid Kerberos account to be
>>> able to login via SSH to a common account (called dlc).
>>>
>>> Using the following, I have been able to get the following to work if
>>> the initating user has a valid Kerberos ticket;
>>>
>>> Changes:
>>> krb5.conf REALM:
>>>        auth_to_local = RULE:[1:dlc]
>>>         auth_to_local = RULE:[2:dlc]
>>>         auth_to_local = DEFAULT
>>>
>>> /etc/pam.d/common-account:
>>>     account sufficient      pam_krb5.so
>>>     account required        pam_unix.so
>>>
>>> Command:
>>>     ssh -l dlc hobbes
>>>
>>>
>>> The problem is that users will at times need to log in from a location
>>> that does not have Kerberos installed. At this point, the system will
>>> ask for the password for the dlc Kerberos user (that does not exist),
>>> and will fail with an error like the following:
>>>
>>> Jan  3 16:23:29 hobbes sshd[17471]: error: PAM: System error for illegal
>>> user edward from 1.1.1.1
>>> Jan  3 16:23:29 hobbes sshd[17471]: Failed unknown for illegal user
>>> edward from 1.1.1.1 port 54214 ssh2
>>>
>>> >From looking at the logs, it looks like the pam krb5 doesn't get called
>>> at all.
>>>
>>> Any suggestions?
>>> I'm sure it's a very simple answer but I'm just too silly to work it out.
>>>
>>> Cheers
>>> Edward
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>   
>>>       
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>     
>
>
>   




More information about the Kerberos mailing list