pam_krb5 questions

Douglas E. Engert deengert at anl.gov
Thu Jul 15 15:43:20 EDT 2010 


On 7/15/2010 2:15 PM, Techie wrote:
> Hi,
>
> This question is actually regarding both the RHEL pam_krb5 and the
> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
> principals login via ssh and authenticate to a local acount.
> so principal joejohnson at EXAMPLE.COM should be authenticated as local
> account joe on the local box. I should mention that the host does not
> have a keytab but I am simply trying to authenticate via ssh. I can
> authenticate perfectly if the principal matches the local account.
>
> Now I see that the krb5.conf allows for something like this.. But it
> does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
> not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
> joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
> RHEL and Debian.
>
> [REALMS]
>         EXAMPLE.COM = {
>                 auth_to_local_names = {
>                     joejohnson = joe
>                  }
>         }
>
> However, If I put this in appdefaults and add a .k5login with
> joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
> is only with Debian!!,  RHEL still fails.
>
> [appdefaults]
>                forwardable = true
>                pam = {
>                  minimum_uid = 100
>                   EXAMPLE.COM = {
>                        search_k5login = true
>                    }
>                }
>
> But I'd rather use auth_to_local_names or auth_to_local with a
> regex..A .k5login for every user may get tedious but I can deal if I
> have to.
> Now the RedHat krb5.conf man page states that I can use these
> auth_to_local parameters but as I said it still looks for the
> joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
> support "search_k5login", is that accurate?

Interestingly, I have been looking at this same problem this week!

Russ's pam_krb5 has both the prompt_principal, and search_k5login
that could be used. The RedHat has only a mappings = regex regex ...
option which is not very flexible. If its only for a few users
it might work. In either case you still need ~.k5login or auth_to_local

Options include:

  run Russ's pam_krb5, at least for sshd.

  Use double /etc/password entries like:
  joe:x:11111:22222:Joe original:/home/joe:/bin/bash
  joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash

Also duplicate any joe entries with joejohnson entries in/etc/groups
and/or netgroups.

If using ldap you can add a Uid=joejohnson attrribute to the joe account.
and add joejohnson to any groups and/or netgroups.

>
> What is the suggested method here for mapping principals with unlike
> local account names using both RHEL and Debian pam_krb? I must be
> doing something incorrectly so any help is appreciated.

Not doing anything wrong, sshd and RedHat pam_krb5 are not very
flexible.

>
> Thanks
> TC
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list