pam_krb5 questions
Techie
techchavez at gmail.com
Thu Jul 15 17:40:47 EDT 2010
On Thu, Jul 15, 2010 at 1:40 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>
>
> On 7/15/2010 3:23 PM, Techie wrote:
>>
>> On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert<deengert at anl.gov>
>> wrote:
>>>
>>>
>>> On 7/15/2010 2:15 PM, Techie wrote:
>>>>
>>>> Hi,
>>>>
>>>> This question is actually regarding both the RHEL pam_krb5 and the
>>>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
>>>> principals login via ssh and authenticate to a local acount.
>>>> so principal joejohnson at EXAMPLE.COM should be authenticated as local
>>>> account joe on the local box. I should mention that the host does not
>>>> have a keytab but I am simply trying to authenticate via ssh. I can
>>>> authenticate perfectly if the principal matches the local account.
>>>>
>>>> Now I see that the krb5.conf allows for something like this.. But it
>>>> does not work..Auth fails and I get an error that joe at EXAMPLE.COM is
>>>> not found in the database. It is not mapping joejohnson at EXAMPLE.COM to
>>>> joe...It's trying joe at EXAMPLE.COM which won't work. THis is true on
>>>> RHEL and Debian.
>>>>
>>>> [REALMS]
>>>> EXAMPLE.COM = {
>>>> auth_to_local_names = {
>>>> joejohnson = joe
>>>> }
>>>> }
>>>>
>>>> However, If I put this in appdefaults and add a .k5login with
>>>> joejohnson at EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
>>>> is only with Debian!!, RHEL still fails.
>>>>
>>>> [appdefaults]
>>>> forwardable = true
>>>> pam = {
>>>> minimum_uid = 100
>>>> EXAMPLE.COM = {
>>>> search_k5login = true
>>>> }
>>>> }
>>>>
>>>> But I'd rather use auth_to_local_names or auth_to_local with a
>>>> regex..A .k5login for every user may get tedious but I can deal if I
>>>> have to.
>>>> Now the RedHat krb5.conf man page states that I can use these
>>>> auth_to_local parameters but as I said it still looks for the
>>>> joe at EXAMPLE.COM entry and not the joejohnson at EXAMPLE.COM entry... What
>>>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
>>>> support "search_k5login", is that accurate?
>>>
>>> Interestingly, I have been looking at this same problem this week!
>>>
>>> Russ's pam_krb5 has both the prompt_principal, and search_k5login
>>> that could be used. The RedHat has only a mappings = regex regex ...
>>> option which is not very flexible. If its only for a few users
>>> it might work. In either case you still need ~.k5login or auth_to_local
>>>
>>> Options include:
>>>
>>> run Russ's pam_krb5, at least for sshd.
>>
>> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
>> file to auth with joejohnson at EXAMPLE.COM to my local joe account.
>> However the auth_to_local_names maps don't work..Only the .k5login
>> works.. If I remove auth_to_local_names altogether it still works with
>> the .k5login in place. So it seems .k5login is working while
>> auth_to_local_names is not..
>> You said above I would still need .k5login or auth_to_local.
>
> Ask Russ, but I think the prompt_principal might work with
> auth_to_local. In any case, .k5login works, so use it.
Ok will do, looks like it is the option that works. Thanks!
>
>
>
> I assume
>>
>> then that auth_to_local_names won't work period?
>>>
>>> Use double /etc/password entries like:
>>> joe:x:11111:22222:Joe original:/home/joe:/bin/bash
>>> joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash
>>>
>> I did not have to do this step, duplicating the password entries. Can
>> you please explain the need for this?
>
> If you wanted to continue to use the Red-Hat pam_krb5, this would
> be an other option, as the user could then ssh joejohnson at host and
> end up using the joe account. It has its restrictions as joejohnson
> can only login to the joe account.
>
>
>> I did notice that using .k5login
>> the sudo command breaks and does not accept the kerb password. Is
>> there a way around this? I have the pam_krb5 listed in all 4 PAM
>> stacks but still does not accept ker password for sudo.
>
> Interesting. I have not tested this. You may only want to
> to use Russ's pam_krb5 on sshd, and leave the rest alone.
> Try adding the joe at realm to the .k5login too.
I was mistaken, sudo is fine with the pam_krb module. I had compiled
sudo from source for testing some time ago and was pointed to those
binaries.
>
>>> Also duplicate any joe entries with joejohnson entries in/etc/groups
>>> and/or netgroups.
>>>
>>> If using ldap you can add a Uid=joejohnson attrribute to the joe account.
>>> and add joejohnson to any groups and/or netgroups.
>>>
>>>>
>>>> What is the suggested method here for mapping principals with unlike
>>>> local account names using both RHEL and Debian pam_krb? I must be
>>>> doing something incorrectly so any help is appreciated.
>>>
>>> Not doing anything wrong, sshd and RedHat pam_krb5 are not very
>>> flexible.
>>
>> That's good to know. Even on a debian box I am unable to use
>> auth_to_local_names.. Is there a specific section I am supposed to put
>> this auth_to_local_names entry?
>
> Sounds like it is not needed if you have the .k5login I only used it
> a long time ago, for mapping realms. Its tricky to set up too.
Agreed, was just hoping to use the auth_to_local similar to sasl regex
mapping in OpenLDAP. That way you have one mapping defined and don't
worry about .k5login files.
But this will have to do for now.
Appreciate the help
TC
>
>> I am specifying it in the [REALM]
>> section as instructed by the krb5.conf man page.
>>
>> Thanks again
>> TC
>>>
>>>>
>>>> Thanks
>>>> TC
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>
>>> --
>>>
>>> Douglas E. Engert<DEEngert at anl.gov>
>>> Argonne National Laboratory
>>> 9700 South Cass Avenue
>>> Argonne, Illinois 60439
>>> (630) 252-5444
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
More information about the Kerberos
mailing list