pam_krb5 questions

Techie techchavez at gmail.com
Thu Jul 15 15:15:05 EDT 2010


Hi,

This question is actually regarding both the RHEL pam_krb5 and the
Debian or Russ's pam_krb5. What I am trying to do is to have krb5
principals login via ssh and authenticate to a local acount.
so principal joejohnson at EXAMPLE.COM should be authenticated as local
account joe on the local box. I should mention that the host does not
have a keytab but I am simply trying to authenticate via ssh. I can
authenticate perfectly if the principal matches the local account.

Now I see that the krb5.conf allows for something like this.. But it
does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
RHEL and Debian.

[REALMS]
       EXAMPLE.COM = {
               auth_to_local_names = {
                   joejohnson = joe
                }
       }

However, If I put this in appdefaults and add a .k5login with
joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
is only with Debian!!,  RHEL still fails.

[appdefaults]
              forwardable = true
              pam = {
                minimum_uid = 100
                 EXAMPLE.COM = {
                      search_k5login = true
                  }
              }

But I'd rather use auth_to_local_names or auth_to_local with a
regex..A .k5login for every user may get tedious but I can deal if I
have to.
Now the RedHat krb5.conf man page states that I can use these
auth_to_local parameters but as I said it still looks for the
joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
am I doing wrong. Also it seems that the RHEL pam_krb5 does not
support "search_k5login", is that accurate?

What is the suggested method here for mapping principals with unlike
local account names using both RHEL and Debian pam_krb? I must be
doing something incorrectly so any help is appreciated.


Thanks
TC



More information about the Kerberos mailing list