pam_krb5 questions

Russ Allbery rra at stanford.edu
Thu Jul 15 17:20:43 EDT 2010


Techie <techchavez at gmail.com> writes:

> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
> file to auth with joejohnson at EXAMPLE.COM to my local joe account.
> However the auth_to_local_names maps don't work..Only the .k5login
> works.. If I remove auth_to_local_names altogether it still works with
> the .k5login in place.

auth_to_local_names is only helpful if you already have a Kerberos ticket
and you're just verifying that ticket is sufficient to permit
authentication.  It doesn't help with figuring out what Kerberos principal
to authenticate as at the PAM layer, since the Kerberos library doesn't
provide a way to expose that direction of mapping.

If you don't want to use search_k5login, you would need to use
prompt_principal (which requires that the ssh client support
ChallengeResponse).

> I did not have to do this step, duplicating the password entries. Can
> you please explain the need for this? I did notice that using .k5login
> the sudo command breaks and does not accept the kerb password. Is there
> a way around this? I have the pam_krb5 listed in all 4 PAM stacks but
> still does not accept ker password for sudo.

I don't know of any reason why it shouldn't work with sudo, but I don't
personally use sudo and don't have any simple way to test.  I'd need to
see the debug log output to understand exactly what it's doing.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list