Using LDAP in place of .k5login
Jos Backus
jos at catnook.com
Wed Oct 3 18:17:56 EDT 2007
On Wed, Oct 03, 2007 at 07:51:30PM +0100, Markus Moeller wrote:
> Could this be part of an name service extension, so that it can be either
> local file, nis or ldap or .. ?
Well, what I'm after is a centralized OpenSSH authorization solution which
currently doesn't seem to exist. To quote from my earlier email:
In the solution I am envisioning, this daemon would take the hostname,
principal and username and return whether the mapping is valid or not, i.e.
whether that principal can log into that user at hostname. This then would
somehow end up back in the app through krb5_kuserok().
(Btw, it sounds like this could also be implemented using a centralized
authorization server.)
Having a secure facility like this available could probably benefit other apps
besides OpenSSH.
Jos
> Markus
>
> "Douglas E. Engert" <deengert at anl.gov> wrote in message
> news:4702BBC5.3050703 at anl.gov...
> > Does anyone have any mods to use LDAP to store the auth_to_local
> > database? Something like:
> >
> > auth_to_local=LDAP:....
> >
> > Thus it could be used by sshd for example.
> >
> > --
> >
> > Douglas E. Engert <DEEngert at anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Jos Backus
jos at catnook.com
More information about the Kerberos
mailing list