ssh GSSAPI and auth_to_local
Greg Hudson
ghudson at MIT.EDU
Tue Sep 28 22:11:09 EDT 2010
On Mon, 2010-09-27 at 21:11 -0400, Tom Parker wrote:
> [realms]
> CENTRAL = {
> auth_to_local = RULE:[1:$1 at CENTRAL]
> auth_to_local = RULE:[2:$1 at CENTRAL]
> }
>
> This works great for ssh with passwords but it has totally broken the
> GSSAPI Single Sign On.
I'm not sure if krb5_kuserok or krb5_aname_to_lname would come into play
during password auth.
> From what I can see with strace and a little reading, the krb5_kuserok
> function that is used to validate a user is ignoring the auth_to_local
> directives and is stripping off everything but the first component of a
> principal.
That's not my reading of the code. However: auth_to_local rules are
always looked up in the host's default realm, not the realm of of the
principal. So I would think you would want:
[realms]
<default domain> = {
auth_to_local = RULE:[1:$1@$0]
auth_to_local = RULE:[2:$1@$0]
}
More information about the Kerberos
mailing list