ssh GSSAPI and auth_to_local

Greg Hudson ghudson at MIT.EDU
Tue Sep 28 22:11:09 EDT 2010


On Mon, 2010-09-27 at 21:11 -0400, Tom Parker wrote:
> [realms]
>      CENTRAL = {
>                  auth_to_local = RULE:[1:$1 at CENTRAL]
>                  auth_to_local = RULE:[2:$1 at CENTRAL]
>      }
> 
> This works great for ssh with passwords but it has totally broken the 
> GSSAPI Single Sign On.

I'm not sure if krb5_kuserok or krb5_aname_to_lname would come into play
during password auth.

>  From what I can see with strace and a little reading, the krb5_kuserok 
> function that is used to validate a user is ignoring the auth_to_local 
> directives and is stripping off everything but the first component of a 
> principal.

That's not my reading of the code.  However: auth_to_local rules are
always looked up in the host's default realm, not the realm of of the
principal.  So I would think you would want:

[realms]
	<default domain> = {
		auth_to_local = RULE:[1:$1@$0]
		auth_to_local = RULE:[2:$1@$0]
	}





More information about the Kerberos mailing list