pam_krb5 questions
Douglas E. Engert
deengert at anl.gov
Thu Jul 15 15:43:20 EDT 2010
On 7/15/2010 2:15 PM, Techie wrote:
> Hi,
>
> This question is actually regarding both the RHEL pam_krb5 and the
> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
> principals login via ssh and authenticate to a local acount.
> so principal joejohnson at EXAMPLE.COM should be authenticated as local
> account joe on the local box. I should mention that the host does not
> have a keytab but I am simply trying to authenticate via ssh. I can
> authenticate perfectly if the principal matches the local account.
>
> Now I see that the krb5.conf allows for something like this.. But it
> does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
> not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
> joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
> RHEL and Debian.
>
> [REALMS]
> EXAMPLE.COM = {
> auth_to_local_names = {
> joejohnson = joe
> }
> }
>
> However, If I put this in appdefaults and add a .k5login with
> joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
> is only with Debian!!, RHEL still fails.
>
> [appdefaults]
> forwardable = true
> pam = {
> minimum_uid = 100
> EXAMPLE.COM = {
> search_k5login = true
> }
> }
>
> But I'd rather use auth_to_local_names or auth_to_local with a
> regex..A .k5login for every user may get tedious but I can deal if I
> have to.
> Now the RedHat krb5.conf man page states that I can use these
> auth_to_local parameters but as I said it still looks for the
> joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
> support "search_k5login", is that accurate?
Interestingly, I have been looking at this same problem this week!
Russ's pam_krb5 has both the prompt_principal, and search_k5login
that could be used. The RedHat has only a mappings = regex regex ...
option which is not very flexible. If its only for a few users
it might work. In either case you still need ~.k5login or auth_to_local
Options include:
run Russ's pam_krb5, at least for sshd.
Use double /etc/password entries like:
joe:x:11111:22222:Joe original:/home/joe:/bin/bash
joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash
Also duplicate any joe entries with joejohnson entries in/etc/groups
and/or netgroups.
If using ldap you can add a Uid=joejohnson attrribute to the joe account.
and add joejohnson to any groups and/or netgroups.
>
> What is the suggested method here for mapping principals with unlike
> local account names using both RHEL and Debian pam_krb? I must be
> doing something incorrectly so any help is appreciated.
Not doing anything wrong, sshd and RedHat pam_krb5 are not very
flexible.
>
> Thanks
> TC
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list