pam_krb5 questions

Douglas E. Engert deengert at anl.gov
Thu Jul 15 16:40:27 EDT 2010



On 7/15/2010 3:23 PM, Techie wrote:
> On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert<deengert at anl.gov>  wrote:
>>
>>
>> On 7/15/2010 2:15 PM, Techie wrote:
>>> Hi,
>>>
>>> This question is actually regarding both the RHEL pam_krb5 and the
>>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
>>> principals login via ssh and authenticate to a local acount.
>>> so principal joejohnson at EXAMPLE.COM should be authenticated as local
>>> account joe on the local box. I should mention that the host does not
>>> have a keytab but I am simply trying to authenticate via ssh. I can
>>> authenticate perfectly if the principal matches the local account.
>>>
>>> Now I see that the krb5.conf allows for something like this.. But it
>>> does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
>>> not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
>>> joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
>>> RHEL and Debian.
>>>
>>> [REALMS]
>>>          EXAMPLE.COM = {
>>>                  auth_to_local_names = {
>>>                      joejohnson = joe
>>>                   }
>>>          }
>>>
>>> However, If I put this in appdefaults and add a .k5login with
>>> joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
>>> is only with Debian!!,  RHEL still fails.
>>>
>>> [appdefaults]
>>>                 forwardable = true
>>>                 pam = {
>>>                   minimum_uid = 100
>>>                    EXAMPLE.COM = {
>>>                         search_k5login = true
>>>                     }
>>>                 }
>>>
>>> But I'd rather use auth_to_local_names or auth_to_local with a
>>> regex..A .k5login for every user may get tedious but I can deal if I
>>> have to.
>>> Now the RedHat krb5.conf man page states that I can use these
>>> auth_to_local parameters but as I said it still looks for the
>>> joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
>>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
>>> support "search_k5login", is that accurate?
>>
>> Interestingly, I have been looking at this same problem this week!
>>
>> Russ's pam_krb5 has both the prompt_principal, and search_k5login
>> that could be used. The RedHat has only a mappings = regex regex ...
>> option which is not very flexible. If its only for a few users
>> it might work. In either case you still need ~.k5login or auth_to_local
>>
>> Options include:
>>
>>   run Russ's pam_krb5, at least for sshd.
> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
> file to auth with joejohnson at EXAMPLE.COM to my local joe account.
> However the auth_to_local_names maps don't work..Only the .k5login
> works.. If I remove auth_to_local_names altogether it still works with
> the .k5login in place. So it seems .k5login is working while
> auth_to_local_names is not..
> You said above I would still need .k5login or auth_to_local.

Ask Russ, but I think the prompt_principal might work with
auth_to_local. In any case, .k5login works, so use it.



  I assume
> then that auth_to_local_names won't work period?
>>
>>   Use double /etc/password entries like:
>>   joe:x:11111:22222:Joe original:/home/joe:/bin/bash
>>   joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash
>>
> I did not have to do this step, duplicating the password entries. Can
> you please explain the need for this?

If you wanted to continue to use the Red-Hat pam_krb5, this would
be an other option, as the user could then ssh joejohnson at host and
end up using the joe account. It has its restrictions as joejohnson
can only login to the joe account.


> I did notice that using .k5login
> the sudo command breaks and does not accept the kerb password. Is
> there a way around this? I have the pam_krb5 listed in all 4 PAM
> stacks but still does not accept ker password for sudo.

Interesting. I have not tested this. You may only want to
to use Russ's pam_krb5 on sshd, and leave the rest alone.
Try adding the joe at realm to the .k5login too.

>> Also duplicate any joe entries with joejohnson entries in/etc/groups
>> and/or netgroups.
>>
>> If using ldap you can add a Uid=joejohnson attrribute to the joe account.
>> and add joejohnson to any groups and/or netgroups.
>>
>>>
>>> What is the suggested method here for mapping principals with unlike
>>> local account names using both RHEL and Debian pam_krb? I must be
>>> doing something incorrectly so any help is appreciated.
>>
>> Not doing anything wrong, sshd and RedHat pam_krb5 are not very
>> flexible.
> That's good to know. Even on a debian box I am unable to use
> auth_to_local_names.. Is there a specific section I am supposed to put
> this auth_to_local_names entry?

Sounds like it is not needed if you have the .k5login I only used it
a long time ago, for mapping realms. Its tricky to set up too.

>I am specifying it in the [REALM]
> section as instructed by the krb5.conf man page.
>
> Thanks again
> TC
>>
>>>
>>> Thanks
>>> TC
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> --
>>
>>   Douglas E. Engert<DEEngert at anl.gov>
>>   Argonne National Laboratory
>>   9700 South Cass Avenue
>>   Argonne, Illinois  60439
>>   (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list