pam_krb5 questions

Techie techchavez at gmail.com
Thu Jul 15 16:23:53 EDT 2010


On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>
>
> On 7/15/2010 2:15 PM, Techie wrote:
>> Hi,
>>
>> This question is actually regarding both the RHEL pam_krb5 and the
>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
>> principals login via ssh and authenticate to a local acount.
>> so principal joejohnson at EXAMPLE.COM should be authenticated as local
>> account joe on the local box. I should mention that the host does not
>> have a keytab but I am simply trying to authenticate via ssh. I can
>> authenticate perfectly if the principal matches the local account.
>>
>> Now I see that the krb5.conf allows for something like this.. But it
>> does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
>> not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
>> joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
>> RHEL and Debian.
>>
>> [REALMS]
>>         EXAMPLE.COM = {
>>                 auth_to_local_names = {
>>                     joejohnson = joe
>>                  }
>>         }
>>
>> However, If I put this in appdefaults and add a .k5login with
>> joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
>> is only with Debian!!,  RHEL still fails.
>>
>> [appdefaults]
>>                forwardable = true
>>                pam = {
>>                  minimum_uid = 100
>>                   EXAMPLE.COM = {
>>                        search_k5login = true
>>                    }
>>                }
>>
>> But I'd rather use auth_to_local_names or auth_to_local with a
>> regex..A .k5login for every user may get tedious but I can deal if I
>> have to.
>> Now the RedHat krb5.conf man page states that I can use these
>> auth_to_local parameters but as I said it still looks for the
>> joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
>> support "search_k5login", is that accurate?
>
> Interestingly, I have been looking at this same problem this week!
>
> Russ's pam_krb5 has both the prompt_principal, and search_k5login
> that could be used. The RedHat has only a mappings = regex regex ...
> option which is not very flexible. If its only for a few users
> it might work. In either case you still need ~.k5login or auth_to_local
>
> Options include:
>
>  run Russ's pam_krb5, at least for sshd.
I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
file to auth with joejohnson at EXAMPLE.COM to my local joe account.
However the auth_to_local_names maps don't work..Only the .k5login
works.. If I remove auth_to_local_names altogether it still works with
the .k5login in place. So it seems .k5login is working while
auth_to_local_names is not..
You said above I would still need .k5login or auth_to_local. I assume
then that auth_to_local_names won't work period?
>
>  Use double /etc/password entries like:
>  joe:x:11111:22222:Joe original:/home/joe:/bin/bash
>  joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash
>
I did not have to do this step, duplicating the password entries. Can
you please explain the need for this? I did notice that using .k5login
the sudo command breaks and does not accept the kerb password. Is
there a way around this? I have the pam_krb5 listed in all 4 PAM
stacks but still does not accept ker password for sudo.
> Also duplicate any joe entries with joejohnson entries in/etc/groups
> and/or netgroups.
>
> If using ldap you can add a Uid=joejohnson attrribute to the joe account.
> and add joejohnson to any groups and/or netgroups.
>
>>
>> What is the suggested method here for mapping principals with unlike
>> local account names using both RHEL and Debian pam_krb? I must be
>> doing something incorrectly so any help is appreciated.
>
> Not doing anything wrong, sshd and RedHat pam_krb5 are not very
> flexible.
That's good to know. Even on a debian box I am unable to use
auth_to_local_names.. Is there a specific section I am supposed to put
this auth_to_local_names entry? I am specifying it in the [REALM]
section as instructed by the krb5.conf man page.

Thanks again
TC
>
>>
>> Thanks
>> TC
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list