pam_krb5 questions

Techie techchavez at gmail.com
Thu Jul 15 17:49:59 EDT 2010


On Thu, Jul 15, 2010 at 2:20 PM, Russ Allbery <rra at stanford.edu> wrote:
> Techie <techchavez at gmail.com> writes:
>
>> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
>> file to auth with joejohnson at EXAMPLE.COM to my local joe account.
>> However the auth_to_local_names maps don't work..Only the .k5login
>> works.. If I remove auth_to_local_names altogether it still works with
>> the .k5login in place.
>
> auth_to_local_names is only helpful if you already have a Kerberos ticket
> and you're just verifying that ticket is sufficient to permit
> authentication.  It doesn't help with figuring out what Kerberos principal
> to authenticate as at the PAM layer, since the Kerberos library doesn't
> provide a way to expose that direction of mapping.
Ok I see now, thank you for clarifying that. I was going bonkers.
>
> If you don't want to use search_k5login, you would need to use
> prompt_principal (which requires that the ssh client support
> ChallengeResponse).
.k5login appears to be cleaner, prompt_principal seems to require that
I input a principal name.
>> I did not have to do this step, duplicating the password entries. Can
>> you please explain the need for this? I did notice that using .k5login
>> the sudo command breaks and does not accept the kerb password. Is there
>> a way around this? I have the pam_krb5 listed in all 4 PAM stacks but
>> still does not accept ker password for sudo.
>
> I don't know of any reason why it shouldn't work with sudo, but I don't
> personally use sudo and don't have any simple way to test.  I'd need to
> see the debug log output to understand exactly what it's doing.
You are right Russ, It was my mistake.
You don't use sudo! What do you use?

Thanks
TC
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list